School of Information Systems

Risk Classification System

Based on the TOGAF® Standard, Version 9.2, risk is pervasive in any enterprise architecture activity and is present in all phases within the Architecture Development Method (ADM). From a management perspective, it is useful to classify the risks so that the mitigation of the risks can be executed as expeditiously as possible. And risks are normally classified as time (schedule), cost (budget), and scope but they could also include client transformation relationship risks, contractual risks, technological risks, scope and complexity risks, environmental (corporate) risks, personnel risks, and client acceptance risks.

Based on PESTLE analysis, there are 6 aspects of risk classification system such as:

  • Political, this factor determines the extent to which a government may influence the economy or a certain industry. These political factors include tax policies, fiscal policy, trade tariffs which may levy around the fiscal year and it may affect the business environment
  • Economic, this factor determines of an economy’s performance that directly impacts a company and have resonating long term effects. Economic factors include inflation rate, interest rates, foreign exchange rates, economic growth patterns.
  • Social, this factor determines into consideration all events that affect the market and community socially. Social factors include cultural expectations, norms, population dynamics, healthy consciousness, career altitudes, global warming.
  • Technological, this factor determines of innovations in technology that may affect the operations of the industry and the market favorably or unfavorably. Technological factors include automation, research and development and the amount of technological awareness in market possesses.
  • Legal, this factor determines into account both of these angles and then charts out the strategies in light of these legislations. Legal factors include consumer laws, safety standards, labor laws.
  • Ethical or Environmental, this factor is determined by the surrounding environment. Environmental factors include but are not limited to climate, weather, geographical location, global changes in climate, environmental offsets, ground conditions, ground contamination, nearby water sources.

This is the table of PESTLE risk classification system

There are several timescale of risk classification systems such as:

1. A short-term risk (Immediately) has the ability to impact the objectives, key dependencies and core processes, with the impact being immediate. These risks can cause disruption to operations immediately when the event occurs.

2. A medium-term risk (up to 1 year or decision makes) has the ability to impact the organization following a (short) delay after the event occurs. The impact of a medium-term risk would not be apparent immediately but would be apparent within months, or at most a year after the event.

3. A long-term risk (up to 5 years) has the ability to impact the organization sometime after the event occurs. This impact could occur between one and five years or more after the event.

There are following of risk classification system which adopted for capturing the result of risk assessment with three scoring level such as:

  • High-risk, risk which potential protection are required by law or that, if compromised can lead to significant impact on organization’s business, safety or finances. These examples are personal data, financial data, central data center, central administrative systems.
  • Moderate-risk, risk which have potential compromised, this risk can lead to noticeable impact on organization’s business, safety or finances. These examples are operational systems, official web sites, office computer, etc.
  • Low-Risk, risk which are not classified as high-risk or moderate-risk. These examples are demo systems, published research data.

This is the example scoring level of risk classification