The basis of any risk assessment is that the company has a good overview of the critical assets in its possession. After all, it is the critical assets that need to be protected. However, all too often companies simply don’t have an overview of its critical assets, and lack the methods and terminology to identify them. This leaves the playing field open for personal beliefs and obsessions by individuals, and results in risk assessments of dubious quality.

Based on an ArchiMate model of the company’s business and IT architecture companies get a solid foundation for creating a systematic and comprehensive picture of the company’s overall risk profile. Threats, vulnerabilities and existing controls are identified and documented in a risk assessment. A coherent plan to address unacceptable residual risks are collected in a risk treatment plan.