Module 38: Enterprise Architecture

Architecture defines structure.
Structure defines risk exposure.

Enterprise Architecture (EA) describes how:

• Business processes
• Applications
• Data
• Technology infrastructure

work together as a unified system.

CRISC evaluates whether you understand how architectural decisions impact risk.

This is not a design exam.
It is a risk impact exam.

What the exam is really testing

When Enterprise Architecture appears, CRISC is asking:

• Does architecture align with business strategy?
• Does it reduce complexity or increase it?
• Does it create concentration risk?
• Does it support resilience?
• Does it enable governance?
• Does it increase dependency risk?

Architecture influences inherent risk.

What Enterprise Architecture includes

Enterprise Architecture typically covers:

1. Business Architecture
2. Application Architecture
3. Data Architecture
4. Technology (Infrastructure) Architecture

Each layer introduces different types of risk.

Business architecture

Defines:

• Business processes
• Organizational structure
• Value chains
• Operational workflows

Risk implications:

• Process bottlenecks
• Single points of failure
• Role ambiguity
• Segregation of duties issues

CRISC may test whether process design creates inherent risk.

Application architecture

Defines:

• Application landscape
• Integration patterns
• Interdependencies
• Custom vs third-party systems

Risk implications:

• Legacy systems
• Unsupported applications
• Integration failure
• Over-complexity
• Vendor dependency

Poor application architecture increases operational and security risk.

Data architecture

Defines:

• Data classification
• Data flows
• Storage models
• Data ownership
• Data lifecycle

Risk implications:

• Data concentration risk
• Data leakage exposure
• Regulatory non-compliance
• Weak access control models

Data architecture strongly influences breach impact.

Technology architecture

Defines:

• Infrastructure
• Networks
• Cloud environments
• On-premise systems
• Virtualization layers

Risk implications:

• Single points of failure
• Cloud concentration risk
• Weak segmentation
• Availability risk
• Scalability limitations

Architecture decisions affect resilience and continuity.

The most common exam mistake

Candidates often:

• Focus on technical detail.
• Choose the most secure design automatically.
• Ignore business alignment.
• Overlook architectural complexity risk.
• Miss concentration risk.

CRISC prefers balanced architectural alignment.

Centralization vs decentralization risk

Centralized architecture:

Pros:

• Standardization
• Simplified governance
• Easier monitoring

Cons:

• Concentration risk
• Larger blast radius

Decentralized architecture:

Pros:

• Reduced concentration
• Local resilience

Cons:

• Inconsistent controls
• Aggregation challenges

CRISC tests tradeoff thinking.

Cloud architecture risk

Modern enterprise architecture frequently includes:

• Hybrid cloud
• Multi-cloud
• SaaS integration
• Third-party APIs

Risk considerations:

• Shared responsibility model
• Vendor dependency
• Data residency
• Integration exposure
• Identity federation complexity

Cloud adoption shifts risk — it does not eliminate it.

Example scenario (walk through it)

Scenario:
An organization centralizes all authentication into a single identity provider without redundancy.

What is the PRIMARY architectural risk?

A. Weak inherent risk
B. Concentration and single point of failure risk
C. Excessive mitigation
D. Poor KPI

Correct answer:

B. Concentration and single point of failure risk

Centralization increases blast radius if resilience is not built in.

Slightly harder scenario

A company rapidly acquires smaller firms, maintaining separate application environments for each.

What risk concern is MOST likely?

A. Reduced complexity
B. Increased integration and governance complexity
C. Lower inherent risk
D. Excessive mitigation

Correct answer:

B. Increased integration and governance complexity

Architectural sprawl increases risk exposure and governance difficulty.

Architecture & risk management

Enterprise architecture should:

• Align to strategy
• Support risk appetite
• Enable monitoring
• Support scalability
• Minimize unnecessary complexity
• Enable segregation of duties
• Reduce single points of failure

Architecture decisions affect inherent risk before controls are applied.

Architecture frameworks (conceptual awareness)

CRISC does not require memorization of frameworks.

But you should understand that architecture is often structured using:

• Enterprise governance frameworks
• Industry standards
• Structured modeling approaches

The key idea:

Architecture should be deliberate — not accidental.

Slightly uncomfortable scenario

An organization adopts multiple overlapping security tools across business units without architectural integration.

What is the MOST significant risk?

A. Strong mitigation
B. Increased architectural complexity and integration risk
C. Lower inherent risk
D. Effective decentralization

Correct answer:

B. Increased architectural complexity and integration risk

Tool sprawl increases complexity and control inconsistency.

Quick knowledge check

1) Enterprise architecture primarily defines:

A. Risk treatment plans
B. Organizational structure of IT components and business alignment
C. Incident response steps
D. KPI thresholds

2) Centralizing systems without redundancy primarily increases:

A. KPI performance
B. Concentration risk
C. Risk avoidance
D. Inherent risk reduction

3) Architectural complexity most directly increases:

A. Simplicity
B. Governance challenge and integration risk
C. Risk elimination
D. Avoidance

Final takeaway

Enterprise architecture influences:

• Inherent risk
• Concentration risk
• Integration risk
• Dependency risk
• Resilience
• Governance visibility

CRISC does not expect you to design architecture.

It expects you to recognize architectural decisions that:

• Increase risk
• Reduce resilience
• Conflict with strategy
• Create governance blind spots

Architecture defines exposure before controls even exist.