Enterprise Risk and Vulnerability Management

The risk “waterfall” is a time-phased representation of the potential mitigation activities and the marginal cost for risk reduction.

Acceptable enterprise risk is a key element of the affordability balance between architectural objectives, timeframe, and risk. Enterprise risks are associated with achieving or maintaining the required architectural capabilities. Enterprise risks primarily arise from the following sources:

  • Unintentional sources such as, but not limited to, technology readiness, operator error, system failure, and obsolescence
  • Malevolent sources that overtly and/or covertly seek out physical and cyber vulnerabilities

Exostrategies uses an agile Affordable Risk Management (ARM) process to continuously assess and prioritize risk mitigation activities based upon changing guidance and prevalent threats.

Risk Report Example - Screenshot

Enterprise risks, when linked and mapped to the enterprise architecture, provide an excellent architectural representation of potential mitigation investment options.


Deployable in both classified and unclassified environments, our ARM process is designed to link our physical and cyber vulnerability management services via application of the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) standards within the Architex™ Decision Support Suite.



Center of Gravity - Product Screenshot

Vulnerability center of gravity analyses provide a basis to identify strategies for mitigation return on investment.

Architex provides the ability to:

  • Define risk mitigation activities, timelines, and projects such as plans of action and milestones (POA&Ms).
  • Allocate RMF controls to POA&Ms, projects and architectural elements.
  • Create center of gravity topologies that identify optimum strategies for investment based on key architectural vulnerabilities.
  • Define affordable and acceptable risk metrics based on the desired architectural objectives subject to budgetary constraints.
  • Identify the point at which the marginal cost of further risk reduction is not worth the investment return.
  • Associate vulnerabilities to risks.