Category Archives: ArchiMate

Why Boards Overlook Enterprise Architecture

20 Tuesday Jan 2026

Posted by in ArchiMate, Architecture, Enterprise Architecture, Story Telling

Leave a comment

Tags

, , ,

Enterprise Architecture (EA) has been part of organisations for many decades. Most companies have some form of EA and plenty of diagrams meant to show how everything fits together.  These are often built around frameworks such as TOGAF and Zachman, but there are several other well-established architecture frameworks that can be used depending on industry and requirements.

Yet when boards discuss technology, architecture may not feature on the agenda unless there’s a problem. It’s not that boards don’t care or know about architecture, the issue is that EA can be seen as not delivering what boards genuinely need.

Why Boards Rarely Discuss Architecture

Boards typically only hear about architecture when something goes wrong: a hack or security issue, a major outage, a failed transformation or a regulatory breach. Otherwise architecture may be left out of the conversation. The reason isn’t indifference, but more that EA often misses the mark on what matters most to the board.

What Boards Care About (Not Diagrams)

Boards have a handful of core responsibilities and these can follow a governance code / framework

Examples of governance codes/frameworks (others are available):

This article provides a good explaination of a board governance framework “What are the core components of a board governance framework?

Some of these responsibilities cover areas such as:

  • Strategic coherence: Are we investing in the right capabilities to succeed?
  • Risk oversight: Where could the business fail on a large scale? (for example COSO ERM)
  • Capital allocation: Are our technology investments building lasting value?
  • Execution confidence: Can management deliver on its promises?
  • Ethical oversight: Are we upholding appropriate standards of conduct and integrity?
  • Resilience: Can we adapt to shocks, new regulations or disruptions? (For example: guidance from the UK FCA)
  • Stakeholder engagement: Are we considering the interests of shareholders, employees, customers and society?
  • Compliance and legal responsibility: Are we fulfilling our statutory and regulatory obligations?
  • Performance monitoring: Are we regularly reviewing organisational performance against targets and objectives?

Technology serves as the foundation supporting each of these critical governance areas. However the board’s primary concern is not with technology itself, but with the confidence that technological choices are purposeful, well-aligned with overall organisational objectives and capable of being maintained over time.

Boards are seeking assurance and reassurance that all technology related decisions are made with intention, in harmony with strategic aims and are structured to support ongoing sustainability.

When Enterprise Architecture fails at Board Level

When EA fails at the board level, it often shows up with:

  • Dense application landscape diagrams (EA is positioned too low)
  • Framework heavy language (TOGAF, Zachman, capability maps)
  • EA is measured on output and not impact
  • Long lists of “standards” and “principles”
  • Abstract future state visions disconnected from funding decisions

This can happen when an EA function focuses on:

While these areas are essential for building a sound EA /technical foundation, they do not by themselves address the broader, strategic questions that boards are concerned with, such as the organisation’s fragility, implicit assumptions, compounding risks or potential bottlenecks under pressure.

This can create a disconnect between what EA can typically deliver and the insight boards actually require to steer the business effectively.

Enterprise Architecture / Architecture can becomes valuable to a board when it explains why certain outcomes are likely or unlikely given the current shape of the enterprise. This is an idea aligned with Systems Thinking.

What Boards Actually Need from Enterprise Architecture

A Map of Enterprise Constraints (Not Systems)

Boards need to see where change is slow, expensive or risky. Consider these questions which a board needs to understand and align with the Theory of Constraints at the enterprise level.

  • Where change is slow, expensive or risky?
  • Which capabilities are tightly coupled?
  • What cannot be altered quickly without cascading impact?

Mapping an architecture and using an EA tool to do this can help in identifying answers to these questions, but remember these diagrams are not what the board are looking for, but providing a constraint map of the architecture.

  • “If we pursue Strategy X, these three bottlenecks will determine our cost, timeline and risk.”

Early Warning Signals, not Post-Event Explanations

Most architecture analysis happens after failure:

  • “Here’s why the outage happened”
  • “Here’s why the transformation stalled”

Boards need EA to surface leading indicators that don’t match strategy. These signals should work like Key Risk Indicators (KRIs) in risk management:

  • Rising integration density
  • Fragile data ownership
  • Overloaded platforms
  • Capability dependencies that no longer match strategy

Without this, architecture can remain reactive and something repeatedly criticised in post-incident reviews such as major outages.

Clear Trade-Offs Tied to Strategy

Every architectural decision involves a bet such as:

  • Centralisation vs. autonomy
  • Speed vs. control
  • Standardisation vs. differentiation

Boards don’t need the “right” answer, but rather a need to know which trade-offs management is making and which ones they’re inheriting by default. A good EA makes these choices explicit, a poor EA hides them behind technical language.

A Line of Sight from Spend to Structural Outcomes

Boards approve large technology budgets with surprisingly little insight into what those investments change structurally. If architecture cannot connect spending to changes in the enterprise, boards will see technology investment as risky and uncleary. This is where IT value realisation can help.

EA should consider this IT Value Realisation checklist

  • 1) Outcomes defined & quantified (targets, baselines, owners)
  • 2) Capability → value stream → process model in place
  • 3) Architecture decisions trace to value hypotheses
  • 4) Governance embeds value gates (Architecture Review Boards)
  • 5) Tooling configured for reuse & traceability (Archimate / UML)
  • 6) Incremental delivery plan
  • 7) Benefits tracking live (variance, forecast vs. actual, corrective actions)
  • 8) Operating model aligned (ITIL/IT4IT value streams instrumented)
  • 9) Risk controls (security, compliance, quantum‑resilience strategy)
  • 10) Communication cadence (value dashboards to execs/boards)

Confidence That Someone Is Watching the Whole System

Boards want to know that someone genuinely understands how the organisation works as a system. This expectation matches the intent behind enterprise-wide architecture governance, not just IT governance. This is a function that Enterprise Architecture should be fulfilling.

Reframing Enterprise Architecture for the Board

If if EA is to truly influence decision making at the highest level, it must evolve its approach.

To become relevant at board level, EA must shift from traditional practices to a more impactful, business centric approach. This transformation involves:

Describing the enterpriseExplaining its behaviour

Instead of merely cataloguing systems and processes, Enterprise Architecture should interpret how the organisation functions, highlighting patterns, interdependencies and emergent risks.

This can be met by telling stories about why things happen the way they do and what that means for the board’s strategic oversight.

Defining standardsSurfacing consequences

Rather than presenting lists of standards and principles, Enterprise Architecture should highlight the real world implications of these choices.

  • What risks are introduced or mitigated?
  • How do these standards impact business agility, resilience, or regulatory compliance?

Boards need to understand not just what the rules are, but why they matter.

Producing modelsInfluencing decisions

Enterprise Architecture should move beyond the creation of abstract models and frameworks by using its insights to actively shape board-level discussions.

This can be met by providing recommendations, challenging assumptions and framing choices in terms of risk, opportunity and strategic alignment.

The critical question EA must answer for boards

“Given how this enterprise is built today, what should leaders worry about tomorrow?”

This question captures the essence of board-level engagement. Anticipating future challenges, highlighting areas of fragility and ensuring leaders are equipped to make informed, forward-looking decisions.

Enterprise Architecture’s true value lies in its ability to surface these concerns before they become crises enabling boards to act proactively rather than reactively.

When EA can answer board level questions with clarity and relevance, the board will listen.

Further Reading

ISO/IEC 42010 for architecture descriptions

System Thinking

Theory of Constraints

Building Cyber Resilience: Enterprise Architecture and ArchiMate for Strategic Security

14 Tuesday Oct 2025

Posted by in ArchiMate, Enterprise Architecture, Security

Leave a comment

Tags

, , , , , ,

The Boardroom Imperative

The NCSC Annual Review 2025 serves as a powerful reminder that cyber risk is no longer confined to the IT department. Instead, it has become a critical issue that demands attention at the highest levels of leadership. The NCSC report emphatically urges decision-makers to “open your eyes to the imminent risk to your economic security.” It makes clear that cyber incidents have the potential to disrupt essential operations, inflict lasting reputational damage and result in significant financial and legal repercussions.

In an environment where threats are ever-present and the risk of future threatsis growing rapidly, true organisational resilience depends on strategic foresight, thorough preparation and the capacity to recover effectively from attacks.

The pressing question then, is how organisations can translate these warnings and insights into practical action. A compelling solution lies in the adoption of robust Enterprise Architecture practices. Specifically the use of ArchiMate enables organisations to systematically document their enterprise landscape and the relationships between systems, providing the clarity needed to strengthen resilience.

Enterprise Architecture: A Blueprint for Cyber Resilience

The NCSC report makes it clear: cyber security is now critical to business longevity and success. It is not just about technology anymore. It is about understanding how your organisation operates, how systems interact and where vulnerabilities lie. The report calls for all business leaders to take responsibility for their organisation’s cyber resilience, moving beyond technical silos to a holistic, strategic approach.

Enterprise Architecture provides the blueprint for this approach. It helps organisations map out their business processes, applications, data and technology infrastructure. By visualising these elements and their interconnections, leaders can take meaningful steps towards resilience.

Key Benefits of Enterprise Architecture for Cyber Resilience

  • Identify critical assets and dependencies
  • Assess risk exposure across the enterprise
  • Plan for continuity and rapid recovery
  • Communicate cyber risk in business terms

ArchiMate: Documenting the Enterprise

ArchiMate is an open and widely adopted modelling language specifically designed for enterprise architecture. It allows organisations to create clear and consistent diagrams that illustrate how business processes, application landscapes, and technology layers align and interact with one another.

Using ArchiMate, organisations can achieve several key objectives:

Model business processes and their supporting systems – Providing a structured view of how core operations are underpinned by technology.

Map data flows and integrations between applications – Offering clarity on how information moves throughout the organisation and where potential integration points or vulnerabilities may exist.

Visualise technology infrastructure and network boundaries – Enabling a comprehensive understanding of the technology landscape and its security perimeters.

Document relationships and dependencies between systems – Ensuring that all critical interconnections and dependencies are recorded, which is essential for risk assessment and resilience planning.

This approach is particularly important in the context of cyber resilience. The NCSC report underscores that attackers often exploit the complexity and interconnectedness of systems. Without a clear understanding of how systems depend on and relate to each other, organisations risk overlooking critical vulnerabilities or being unable to recover swiftly from security incidents.

Source of diagram: https://www.opengroup.org/archimate%C2%AE-forum-0

The Importance of Documenting Relationships

The NCSC Annual Review emphasises that resilience extends beyond mere prevention; it encompasses an organisation’s capacity to continue operating and to recover effectively after a disruptive incident. One crucial aspect of building such resilience is the thorough documentation of relationships between systems. This practice serves several essential purposes:

Risk Assessment – A clear understanding of how systems depend on one another is fundamental for identifying single points of failure as well as recognising where cascading impacts may arise. By mapping out these dependencies, organisations can better anticipate and manage risks that might jeopardise operational continuity.

Incident Response – In the event of a cyberattack or other disruptive incident, having documented knowledge of system interconnections allows for quicker isolation and containment of threats. This, in turn, enables a more efficient recovery process, minimising downtime and damage.

Compliance and Governance – With regulatory bodies increasingly demanding proof of robust cyber risk management, having comprehensive documentation of system architecture provides the necessary assurance. It demonstrates a proactive approach to governance and supports compliance with industry standards.

Continuous Improvement – The technology landscape and threat environment are constantly evolving. Maintaining up-to-date architecture documentation ensures that organisations remain agile, capable of adapting to new risks, and able to reinforce their defences as needed.

Identification of Organisational and Technical Debt – Documenting relationships also helps in pinpointing areas of organisational and technical debt. This awareness is vital for planning improvements and ensuring that legacy issues do not compromise cyber resilience.

Practical Steps for Enhancing Cyber Resilience

The following practical steps outline how to leverage enterprise architecture tools and the ArchiMate framework to strengthen your organisation’s defences:

Utilise Enterprise Architects and Tooling – A good Enterprise Architect understands how to get the best out of modelling a business and systems. Use Enterprise Architecture tools such as ArchiMate to streamline the process of mapping and documenting your organisation’s systems and their interconnections.

Start with a Baseline – Begin by creating a high-level overview of your organisation’s business processes, applications, and underlying technology. This baseline serves as the foundation for understanding how different elements interact and where vulnerabilities may exist.

Identify Relationships – Carefully document all integrations, data flows, and dependencies within your system architecture. Paying particular attention to legacy systems and third-party connections, as these often present unique risks and challenges.

Assess and Prioritise – Use your architectural model to pinpoint critical assets. This enables you to prioritise resilience measures, ensuring that essential systems receive appropriate attention and protection.

Communicate – Share your documented architecture with key stakeholders, including board members, IT teams, and external partners. Clear communication ensures all parties are aware of the risks involved and the responsibilities required to mitigate them.

Review Regularly – Continuously update your system documentation to reflect changes in technology, emerging threats, and lessons learned from past incidents. Regular reviews ensure that your organisation remains prepared to adapt to an evolving threat landscape.

Keep a copy offline – Keep a copy of your models so that you can access them when you cant access you systems.

Further Reading / Sources

The Role of Enterprise Architecture in Fostering Innovation