Some ideas age well, whilst others need to evolve. In 2015, I introduced the STORMCLOUD method as a practical thought tool for identifying architectural risks.
A decade on, the enterprise landscape has changed beyond recognition and STORMCLOUD, while still sound at its core, needs updating for a world of agentic AI, cloud concentration, regulatory complexity and machine-speed cyber threats. As such I have evolved this is in to STORMWATCH.
Where It Started: STORMCLOUD
Back in 2015, I wrote a short but practical post (Architecture Thought Tool: Working out your Risks) introducing a structured method for identifying risks in architecture projects and assignments.
The premise was simple: rather than relying on intuition or ad hoc brainstorming, use a repeatable mnemonic to systematically examine the most common risk dimensions.
The original STORMCLOUD covered eleven areas:
- Schedule
- Technology
- Organisation
- Resources
- Methods
- Compatibility
- Lifecycle
- Over-engineering
- Users
- Dependencies
- Suppliers
It worked (and it still works to a certain level) as a fast, memorable checklist that prevents the most common blind spots in architectural risk thinking.
The mnemonic format makes it easy to apply consistently, which is itself a significant practical advantage over ad hoc approaches.
As the blog Risk Publishing states, only 35% of organisations have comprehensive risk identification processes in place, so having any structured method puts you ahead of the majority.
But the world has changed dramatically and STORMCLOUD, designed for a world of on-premise infrastructure, waterfall delivery and relatively contained threat landscapes, has gaps that matter enormously in 2026.
STORMCLOUD doesn’t address any of these directly. It was time for an upgrade.
Introducing STORMWATCH
STORMWATCH preserves everything that made STORMCLOUD effective ( the first five letters are unchanged) and extends it with five new dimensions that reflect the realities of Enterprise Architecture in 2026.
The metaphor is deliberate: STORMCLOUD told you where the risks were. STORMWATCH tells you what’s coming.
Table
| Letter | Dimension | What to examine |
|---|---|---|
| S | Schedule | Delivery timelines, milestones, dependencies on critical path |
| T | Technology | Technology choices, maturity, fit-for-purpose, technical debt |
| O | Organisation | Organisational readiness, change capacity, culture, skills, organisational debt |
| R | Resources | Budget, people, skills availability, capacity constraints |
| M | Methods | Delivery approach, governance, architecture practices |
| W | Wider Regulatory & Compliance | GDPR, DORA, EU AI Act, sector regulation, data sovereignty |
| A | AI & Algorithmic Risk | Model bias, hallucination, explainability, agentic autonomy, drift, governance |
| T | Third Parties, Suppliers & Dependencies | Vendor concentration, supply chain risk, integration dependencies |
| C | Cyber & Security | Threat surface, zero trust gaps, attack vectors, identity risk |
| H | Hybrid Cloud & Vendor Lock-in | Cloud concentration, platform dependency, exit risk, data portability |
The original STORMCLOUD dimensions (Compatibility, Lifecycle, Over-engineering and Users) are absorbed into the broader dimensions within the table above (Technology, Methods, Organisation and AI & Algorithmic Risk respectively), keeping the framework lean while expanding it’s coverage.
STORMWATCH -> TOGAF Risk Management Mapping
TOGAF’s risk management approach (defined in Chapter 27 of the TOGAF Standard) describes a structured, iterative process that runs across all phases of the Architecture Development Method (ADM). It operates at two levels: Initial Risk (before mitigation), Residual Risk (after mitigation) and consists of five core activities:
- Risk Classification — categorising risks by type (time, cost, scope, technology, environmental, contractual, etc.)
- Risk Identification — systematically surfacing risks across the transformation effort
- Initial Risk Assessment — rating likelihood and impact before mitigation
- Risk Mitigation & Residual Risk Assessment — defining responses and re-rating post-mitigation
- Risk Monitoring & Governance (Phase G) — ongoing tracking through implementation
STORMWATCH operates as a risk identification and classification tool, feeding directly into TOGAF’s first two activities and provides the structured vocabulary for populating the risk register that TOGAF then processes through assessment, mitigation and monitoring.
The table below maps each STORMWATCH dimension to the TOGAF risk classification categories and the ADM phases where each risk type is most likely to surface.
How STORMWATCH and TOGAF Work Together
The relationship between STORMWATCH and TOGAF is complementary, not competitive. TOGAF provides the process; how to classify, assess, mitigate, and monitor risks across the ADM lifecycle. STORMWATCH provides the content; a structured, memorable checklist of what to look for when you sit down to identify risks at the start of an architecture engagement.
Think of it this way:
- STORMWATCH answers: “What risk dimensions should I examine?”
- TOGAF answers: “What do I do with the risks once I’ve found them?”
Used together, an Enterprise Architect can apply STORMWATCH at the beginning of any ADM cycle (particularly during the Preliminary Phase and Phase A (Architecture Vision) ) to rapidly populate the initial risk register.
That register then flows through TOGAF’s assessment, mitigation and monitoring activities, with residual risks tracked through Phase G (Implementation Governance).
Where STORMWATCH Extends TOGAF
TOGAF’s risk classification categories (time, cost, scope, technological, environmental, contractual) were designed for a world of planned architecture transformation programmes. They remain valid, but they do not explicitly name three of STORMWATCH’s most critical 2026 dimensions:
- AI & Algorithmic Risk – TOGAF has no dedicated category for model bias, hallucination, agentic autonomy or AI governance. STORMWATCH fills this gap explicitly.
- Cyber & Security – While TOGAF’s Integrating Risk and Security guidance exists, cybersecurity is not a first-class risk category in the core ADM risk framework. STORMWATCH elevates it.
- Hybrid Cloud & Vendor Lock-in – Cloud concentration and data sovereignty are not named in TOGAF’s risk taxonomy. STORMWATCH makes them explicit.
In this sense, STORMWATCH is not just a checklist, it provides an updated risk vocabulary for Enterprise Architects who work within TOGAF-aligned governance frameworks but need their risk identification to reflect the realities of 2026.
Applying STORMWATCH in Practice
STORMWATCH is designed to be used in the same way as the original STORMCLOUD, as a fast and structured thought tool at the start of any architecture engagement, project or review.
Work through each letter systematically, identify the risks in each dimension and then:
- Mitigate the risks that can be addressed through design
- Accept the risks that are understood and within tolerance
- Escalate the risks that require leadership or governance decisions
- Monitor the risks that are dynamic and need ongoing watch
Closing Thought
Good tools evolve. The best mental models are not static frameworks, they are living instruments that practitioners refine as the world changes around them.
I’ll end this post with two questions:
- What risk identification tools do you use in your architecture practice
- What dimensions would you add to STORMWATCH?
References & Further Reading
- AI Risk Management: Frameworks, Threats, and Strategies for 2026 — Risk Publishing
- TOGAF Standard – The Open Group
Max Hemingway 
Leave a comment