The Architecture Risk Matrix

Key Insight

Architecture risk analysis is crucial for addressing system deficiencies, often starting with classifying risk as low, medium, or high. To minimize subjectivity and objectively qualify risk, a two-dimensional risk matrix is utilized. This matrix evaluates the overall 'impact' of a risk and the 'likelihood' of it occurring. Each dimension is rated on a scale of low (1), medium (2), and high (3). These numerical ratings are multiplied together to yield an objective score for each risk. Scores of 1 and 2 are categorized as low risk (green), 3 and 4 as medium risk (yellow), and 6 through 9 as high risk (red). The impact dimension should be considered first, followed by the likelihood dimension, when applying this matrix.

For instance, if a primary central database's availability is a concern, and its downtime is deemed 'high impact' (3), the potential risk score is initially 3, 6, or 9. However, considering the database resides on highly available servers in a clustered configuration, its 'likelihood' of becoming unavailable is 'low' (1). Multiplying the high impact (3) by the low likelihood (1) results in a total risk rating of 3, classifying it as medium risk. This systematic approach ensures that perceived high-impact risks with low likelihood are appropriately qualified, preventing unnecessary alarm or resource allocation.

The matrix serves as a foundational tool for consistently assessing diverse architectural risks, providing a clear, numerical basis for discussion and prioritization. It facilitates a more consistent understanding among stakeholders about the true nature and severity of risks across various architectural components or concerns, such as availability, scalability, or data integrity. This objective quantification is essential for subsequent steps in risk management, including the creation of detailed risk assessments and the collaborative efforts of risk storming.