Loading...

IT Architecture and Risk Management

Fundamentals - Methodology - Techniques - Critical assessment

Seminar Paper 2011 26 Pages

Computer Science - Commercial Information Technology

Excerpt

Table of Contents

1 Introduction

2 Fundamentals
2.1 Fundamentals of Enterprise and IT Architecture
2.1.1 Architecture
2.1.2 Enterprise Architecture
2.1.3 IT Architecture and Architecture Management
2.2 Risk and Risk Management
2.2.1 Risk
2.2.2 Risk Management

3 IT Risk Management
3.1 Role of IT Risk Management
3.2 IT Risk Management
3.3 IT Risk Management Process
3.4 IT Risk Analysis Instruments
3.5 IT Risk Management in Architecture Life Cycle
3.6 IT Risk Management and Compliance

4 Discussion
4.1 Benefits of IT Risk Management
4.2 Limitations of IT Risk Management

5 Summary and Prospects
Bibliography

A Enterprise Architecture

B IT Architecture

C IT Risk Analysis Instruments

List of Figures

2.1 Enterprise Architecture Pyramid
2.2 IT Architecture - Element of Enterprise Architecture
2.3 Elements of Risk and Risk Management

3.1 Role of IT Risk Management
3.2 Groups of IT Risk
3.3 IT Risk Management Process
3.4 IT Risk Classification Scheme
3.5 Risk Analysis Methods
3.6 IT Risk Management in Architecture Life Cycle

A.1 Benefits of Enterprise Architecture

B.1 IT Architecture Development Cycle
B.2 IT Risk Management in System Life Cycle

C.1 Event Tree Analysis
C.2 Value Benefit Analysis

List of Abbreviations

illustration not visible in this excerpt

Chapter 1 Introduction

"In the twenty-first century, IT architecture wil l be the determining factor.

The factor that separates the winners from the losers, the successful and the failures, the survivors from the others."

(Zachman, 1996, p. 2)

The author Zachman (1996, p. 7) emphasises in his article the growing significance of IT archit e ctur e for modern enterprises. According to Zachman (1996, p. 1) IT ar chitec- tur e aligns business strategy with information technology and enables the achievement of business goals. Therefore, an efficient IT ar chite ctur e is a key factor for companies which are faced with increasing changing markets and shorter product life cycles. In contrast to that, an estimated 68% of corporate IT projects are neither on time nor on budget and they don’t deliver the original stated business goals (Jeffery & Leliveld, 2004). Regarding Fairbanks (2010, p. 8) a major cause for this is an insufficient risk management in the IT ar chite ctur e development in principle. Therefore many IT ar chitects ask themselves, how they could identify and prioritize their project’s most pressing risks? Which architecture and design techniques mitigate the risks and what is the amount of risk reduction?

In order to answer these questions, section 2.1 defines the terms ar chite ctur e and enter- prise architecture before it deals with the IT ar chite ctur e itself. The following section 2.2 gives an overview of risk and risk management in general.

Chapter 3 presents the main chapter of this assignment. At first, it gives a brief overview of the role of IT risk management in the scope of strategic management. The next two sections illustrate the IT ri sk management and IT ri sk management process. In addition to that, section 3.4 describes different instruments for IT risk analysis whereas section 3.5 shows how IT risk management can be implemented in the ar chite ctur e life cycle. The section 3.6 outlines the regulations which affect IT risk management.

illustration not visible in this excerpt

Moreover chapter 4 discusses the benefits and limitations of IT risk management. Finally chapter 5 summarizes the basic insights and gives a short perspective.

Chapter 2 F undamentals

2.1 Fundamentals of Enterprise and IT Architecture

2.1.1 Architecture

In reference to Lankhorst (2009, p. 1) ar chite ctur e helps to manage the complexity of any large organisation, software or system with a blueprint and general principles. Therefore, the term ar chite ctur e can be defined as the following:

"Ar chite ctur e is the fundamental organization of a system embodied in its components, their relationships to each other and to the environment and the principles guiding its design and evolution." (IEEE, 2000)

2.1.2 Enterprise Architecture

Definition of Enterprise Architecture

Regarding Keller (2006, p. 14) an ar chite ctur e at the level of an entire organisation is commonly defined as enterprise architecture (EA). In contrast to the general definition of ar chite ctur e, enterprise architecture is settled at a higher level. It has a less technical and more business oriented focus (Keller, 2006, p. 15). This leads us to the following definition of enterprise architecture:

"A coherent whole of principles methods and models that are used in the design and reali- sation of an enterprises organizational structure, business processes, information systems, and infrastructure." (Lankhorst, 2009, p.3)

Basic Structure of Enterprise Architecture

In general, the basic structure of an EA can be represented by three main levels, called business, applic ation and system ar chite ctur e (Niemann, 2010). The main levels with their components are shown in the EA pyramid and will be shortly characterised (Figure 2.1):

illustration not visible in this excerpt

Figure 2.1: EA Pyramid (Niemann, 2006, p. 17, adjusted diagram)

1. Business Architecture is a collection of plans, that describe the major business of an enterprise (Niemann, 2010, p. 86). The parts of business architecture are goals, conditions, components, organisations and business processes. The following two layers concentrate on the alignment of the business processes in order to fulfill an optimal IT support.
2. Application Architecture provides a blueprint of the entire applic ation systems and services with the corresponding technologies. It clarifies the interaction between the enterprise’s systems and the their relationships to the business processes (Keller, 2006, p. 30).
3. System Architecture specifies the physical landscape of an enterprise. On the one side, it describes the physical deployment of every applic ation system. On the other side it gives an overall view of the configuration of communication networks, servers and low-level software components.

Benefits of Enterprise Architecture

The benefits of EA can be separated into three main groups:

- IT Efficiency: EA defines a set of guidelines, best practices and standards. This leads to do things right at a higher level.
- IT Effectiveness: EA provides a knowledge base and support for decision making. Thus, it helps to select the right things.
- IT Reliability: EA represents a transparent view of the whole enterprise. There- fore, risks can be recognized and eliminated in an early stage.

2.1.3 IT Architecture and Architecture Management

Definition of IT Architecture

Regarding Niemann (2006, p. 21) IT ar chite ctur e represents a blueprint for enterprise IT systems. Therefore, IT ar chite ctur e comprises the layers applic ation ar chite ctur e and system ar chite ctur e of the EA pyramid (Engels, 2008, p. 78). Its counterpart is business architecture which is already defined as a layer in the EA pyramid (Figure 2.2).

illustration not visible in this excerpt

Figure 2.2: IT Architecture - Element of Enterprise Architecture (Engels, 2008, p. 78)

Architecture Management

Ar chite ctur e management is related to Niemann (2006, p. 22) a continuous process of aligning IT ar chite ctur e at business core processes. According to the Deming cycle, the primary functions of IT ar chite ctur e management are documenting, analysing, planning, acting and checking (Figure B.1).

2.2 Risk and Risk Management

2.2.1 Risk

Ri sk is defined as the product of the likeliho od of an event and its imp act (Kouns & Minoli, 2010, p. 34). Therefore, it can be expressed in the following mathematical formula:

Ri sk = (Probability of event occurring) × (Imp act of event occurring)

Probability: It is a measure of how likely will a particular event occur.

Impact: The expected value of the loss.

The formula points out, that less probable events with a high impact have the same risk like events with a higher probability but low impact. The left diagrams gives an overview of the overall risk components (Figure 2.3).

2.2.2 Risk Management

In reference to Kerzner (2009, p. 746) risk management can be summarized as follows:

- Definition: R isk management is the practice of dealing with risk. It includes planning for risks], identifying risks, analysing risks, development of risk r esponse strategies and at last monitoring and c ontrolli ng risks in order to determine how they have changed (Figure 2.3) (Kerzner, 2009, p. 746).
- Objective: The major objective of risk management is to avoid or mitigate the probability and impact of negative events (PMI, 2008, p. 273).

illustration not visible in this excerpt

Figure 2.3: Elements of Risk and Risk Management (Kerzner, 2009, pp. 744-746)

Chapter 3 IT Risk Management

3.1 Role of IT Risk Management

In order to understand the important role of IT risk management for IT ar chite ctur e, the methodology has to be arranged in the area of str ategic management (Figure 3.1):

illustration not visible in this excerpt

Figure 3.1: Role of IT Risk Management (Hofmann & Schmidt, 2007, p. 72)

1. Business and IT Goals: A business goal is derived from a business vision. It defines a long-term aspiration of an enterprise in the future. An IT goal is also derived from a IT vision. Moreover, it shall also be aligned at the business goals.
2. Business and IT-Strategy: The business and IT st r ategy determine how the business and IT goals shall be achieved.
3. Business and IT Architecture: The business and IT ar chite ctur e represent the enterprise architecture. The business architecture is responsible for the business pro- cesses whereas the IT ar chite ctur e looks for the optimal IT supp ort (Hofmann & Schmidt, 2007, p. 72.)

In this context, IT ar chitects are faced with str ategic, tactic al and oper ational IT risks. For this reason, they need an effective management process for dealing with them. Thus, the next three sections show, how a concrete IT risk management process looks like and what are the best instruments. Section 3.5 illustrates how IT risk management can be implemented in the whole ar chite ctur e management pr oc ess.

3.2 IT Risk Management

In general, IT risk management deals with all areas of risks which are related to IT. Regarding Hofmann & Schmidt (2007, p. 72) IT risks can be separated in three main groups (Figure 3.2):

The benefits of EA can be separated into three main groups:

- IT Strategic Risks cover all IT risks within the strategic context. A possible IT risk can be an insufficient coordination between business and IT str ategy.
- IT Tactical Risks describe the level of risks between strategic and operational level. A wrong decision of an enterprise application is an example for this area. The enterprise application can not be adjusted according the changed legislation.
- IT Operational Risks are the day-to-day risks for an IT ar chite ct. For instance, this contains security, performance and availability risks of the IT ar chite ctur e.

illustration not visible in this excerpt

Figure 3.2: Groups of IT Risk (own diagram)

3.3 IT Risk Management Process

The following IT risk management pr oc ess is based on the ISO/IEC 27005 standard (ISO & IEC, 2008). The process consists of several steps and can be implemented in every IT ar chite ctur e pr oje ct (Figure 3.3):

illustration not visible in this excerpt

Figure 3.3: IT Risk Management Process (Königs, 2009, p. 32)

Step 1 - Communication and Consult

Communic ation and consultation aims to identify who should be involved in an risk as- sessment for a concrete IT ar chite ctur e pr oje ct.

Step 2 - Establish Context

This step contains the definition of a strategy and methods for identifying and analysing risks. This contains of a risk management plan and a risk r egister for gathering risks (PMI, 2008, p. 282).

Step 3 - Identify Risks

The aim of this step is to identify possible risks that may affect the IT ar chite ctur e in a negative way (Kerzner, 2009, p. 755). The risks can be collected through br ain storming, interviews or SW OT analysis by answering the following questions: What can happen, how can it happen and why could it happen?

Step 4 - Analyse Risks

The next step is to classify risks with respect to their imp act and pr ob ability. A risk classific ation scheme can looks like follows (The Open Group, 2009) (Figure 3.4):

illustration not visible in this excerpt

Figure 3.4: IT Risk Classification Scheme (The Open Group, 2009, p. 350)

Step 5 - Evaluate Risks

After the classification of the IT risks the It ar chite ctur e group decides in this step whether risks are acceptable or need treatment. The result of the risk evaluation is a prioritised list of risks that require further action (Kerzner, 2009, p. 761).

Step 6 - Treat Risks

This step is responsible for developing options to reduce risks of an IT ar chite ctur e. Re- garding Kerzner (2009, p. 782) there exists four typical strategies for risk tr e atment:

- Ris k Avoidance involves changing the former I T architecture plan in order to eliminate the risk entirely.
- Risk Transfer requires shifting the negative impact of a risk to a third party. This action does not eliminate the risk.
- Risk Mitigation implies the reduction in the pr ob ability and/or imp act of a risk.
- Risk A cceptance indicates that the ar chite ctur e team plans to deal with the risk or is unable to identify any other suitable response strategy.

Step 7 - Monitor and Review Risks

The IT ar chite ct must monitor periodically risks to ensure that the risk r egister is up-to- date. Besides, the effectiveness of the risk tr eatment must be reviewed continuously.

A few risks will remain static. Therefore the IT risk management pr oc ess needs to be regularly repeated, so that new risks are captured in the process and effectively managed.

3.4 IT Risk Analysis Instruments

This section gives an overview of different instruments for the determination of risk values in the context of IT risk analysis. These instruments can be used for the evaluation of the whole IT ar chite ctur e, a IT pr oje ct or a single IT system (Königs, 2009) (Figure 3.5):

illustration not visible in this excerpt

Figure 3.5: Risk Analysis Methods (Königs, 2009, p. 43)

In principle, the analysis instruments will be divided into bottom-up and top-down anal- ysis. Moreover, the analysis will be separated if they provide qualitative or quantitative results:

- Bottom-Up Analysis is an inductive approach. It identifies and quantifies possible negative events following an initiating cause. In this context, the risks of an IT ar chite ctur e would be evaluated with the analysis of its sub-systems. An example for this approach is the event tree analysis (Figure C.1)
- T op-Down Analysis use a deductive approach. It defines top negative events and then use backward logic to define possible causes. These top negative events represent identified hazards or system failure modes. An example for the top-down analysis is the V alue Benefit A nalysis (Figure C.2)

3.5 IT Risk Management in Architecture Life Cycle

Regarding NIST (2002, p. 4) an effective risk management has to be totally integrated into the ar chite ctur e life cycles of an enterprise. For instance, the life cycle of an IT system contains of five phases (Figure 3.5). In this context, IT risk management is an iterative process that can be performed during each phase of the system life cycle (Table B.2).

illustration not visible in this excerpt

Figure 3.6: IT Risk Management in Architecture Life Cycle (NIST, 2002, p. 5)

3.6 IT Risk Management and Compliance

The last years are marked with violation and miss management in enterprises (Königs, 2009, p. 64). Therefore, new regulations have been adopted which shall lead to a trans- parent risk management in enterprises. This section gives a short overview of regulations which affects also the IT risk management of enterprises:

- K on T raG: The KonT r aG is operative in germany since 1998. It demands a com- panywide risk management in corporations. In relation to IT r isk management it requests mainly an adequate IT se curity management (Hofmann & Schmidt, 2007)
- Sarban-Okla y Act and COBIT: The Sarban-Oxley Act (SO X) was passed in the USA in 2002. It demands companies to introduce an adequate Internal Contr ol Structur e like the COSO framework by the SEC. The IT control framework COBIT is often used for the fulfillment of SO X in the IT sector (Königs, 2009, p. 76).

[...]

Details

Pages
26
Year
2011
ISBN (eBook)
9783640915651
ISBN (Book)
9783640916085
File size
1.9 MB
Language
English
Catalog Number
v171926
Institution / College
AKAD University of Applied Sciences Stuttgart
Grade
1,0
Tags
IT IT Architecture Risk Risk Management IT Risk Management Enterprise Architecture IT Risk Management Process IT Risk Analysis Risk Instruments IT Risk Intruments Architecture Life Cycle

Author

Previous

Title: IT Architecture and Risk Management