“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
This quote comes from a translation of the Art of War by Sun Tzu, written in China in what is estimated to be 512 BC. It could seem farfetched to assert that this ancient quote is appropriate in today’s business environment, but it is actually a good metaphor for the challenges and rewards of enterprise architecture (EA)- backed risk management.
To adapt it to the business context, let’s pacify and update the quote by removing battles and enemies: battles will be business challenges and enemies will be risks threatening the success of your operations. Simply put, Sun Tzu posits that knowing your risks is not enough to ensure your success. Knowledge of the processes that may create the risks is also crucial for success. Incidentally, considering risks in a vacuum is also only half a solution.
Obviously, the “succumb in every battle” outcome brought about by ignorance of both the processes and the risks needs no further explanation. It is the “every victory for a defeat” outcome that deserves particular attention. Let’s take a hypothetical situation where you would consider your risks only with no concern for the business processes. Paying attention to the risks will allow you to put controls in place and thus limit the risks, but doing so without considering how the risks affect your processes, or which processes may have created the risks, is inefficient. Some risks are more important than others because they affect key business processes. Without a mapping of your risks alongside your processes, you would have to treat every risk as if it is critical. This obviously means spending more resources than needed in managing the risks and, to follow the metaphor, not having enough soldiers as you should for the next battle.
How to win a hundred battles then? Mastering your processes is the first step, mapping them, establishing objectives, threats, controls, procedures, etc. Building and drawing your company’s architecture, the road map that will lead you to your objectives, is the stepping stone. Business blueprints, creating a common understanding of the organization, and recognizing strategic and tactical business demands, will give you the ability to monitor and upgrade performance. That is what enterprise architecture is. The second step would be to add the risks to this blueprint, this conceptual construct. Because your process is real and not just a concept, there are risks that could jeopardize it. Once more, awareness, control, and planning will do the trick, curbing the potential impact or the probability that your process will be derailed. You could even go one step further and integrate all the factors that may influence performance and strategy: competitors, technology, supply chain, regulations, etc. You’d be beyond enterprise architecture and into business architecture.
By combining EA and risk management, you face the real threats to your objectives with the appropriate answer, knowledge of what you have and what you want, awareness of the threats… You are equipped for battle. Furthermore, EA and risk management will feed each other. Better EA means more appropriate risk management (because the risks will be better identified in context) and better risk management will give you tools to drive performance.