Four modes of capacity

Part of the series: Getting it organized properly. Notes from a field still finding its shape.

Four words

Capability, value stream, function, process. These four turn up in almost every enterprise architecture conversation. They blur together the faster it goes. A capability map says what an organization can do, not how it is arranged to do it. Even so, it can look much like a list of business functions. A value stream and a process both read as work that flows. In conversation they sit close enough to swap places without anyone noticing.

A small ArchiMate model holds them apart: four elements and four relationships, drawn straight from the standard. Walking that model is capability mapping. For a security architect, the same walk turns into a short list of questions worth putting to any organization.

Four modes

Figure 1 is the whole of it, four elements and four relationships. The grid has two axes, both ArchiMate's own. Vertically it runs from strategic to operational. Horizontally it represents at rest and in motion.

Each element sits at one crossing of the two axes. The four are not separate things but one capacity in four modes. The cells are distinct, but the subject is the same. What changes is not the capacity but its position in the grid.

For a capability the capacity is ability. For a value stream it is value delivery. For a function it is organized behavior and for a process it is enacted flow.

Strategic and operational

Figure 2 shows the strategic row with capability and value stream. Read as a capability, NIST's Detect is the ability to spot adverse events. As a value stream Detect is that ability in motion, telemetry arriving and alerts triaged into confirmed incidents.

Figure 3 shows the operational row with function and process. NIST's Detect has categories such as continuous monitoring. As a function Detect is the monitoring setup, the team and the tooling standing ready. As a process Detect is that setup running, feeds ingested and rules fired around the clock.

Vertically, the operational row is the strategic row made concrete. A function is a capability staffed. A process is a value stream run.

At rest and in motion

Figure 4 shows the at-rest column with capability and function. This is the paperwork, what the organization is set up to do. The Detect capability and the monitoring setup, both declared on the page.

Figure 5 shows the in-motion column with value stream and process. This is reality, what actually runs. Detection flowing and monitoring firing.

Horizontally, the in-motion column is the at-rest column running.

This is why the words are clear here. Each element's two coordinates, its row and its column, are not labels on it but what it is. A function is operational and at rest because that is what makes it a function and not a capability or a process.

Capability mapping

A grid of four positions is just a classification, inert until its edges are walked. Walking them relates a capability to what realizes it and what it serves. That is one sense of capability mapping. Most architects do some version of it already.

The term carries others. It can mean building the map, naming the capabilities and arranging them. It can mean using the map, the capability-based planning, also called capability modelling, that works through baseline, target, gap and roadmap, with roots in NATO and defense planning. The grid is about neither. It is about the relating.

The vocabularies do not make it easier. TOGAF absorbed the BIZBOK terms and now carries two names for the same artifacts. Some frameworks even use capability and function interchangeably. The relating sense is not a private reading, though. A capability realized by functions and served by value streams is the pairing The Open Group packages as capability-based planning with ArchiMate. The grid sits on named ground.

What it adds is a type on every edge. The two vertical edges are realizations: a function realizes a capability, a process realizes a value stream. The operational layer is what makes the strategic layer real.

The two horizontal edges differ. A capability serves its value stream: it enables the flow but does not contain it. A function aggregates its processes: it holds the sequences that run within it.

So mapping a capability is walking these edges out from it. A capability is a claim about what the enterprise can do. Walked down, the Detect capability should reach a monitoring function and the process that runs it. Walked across, the detection value stream it serves. Where an edge leads nowhere, the cell is a claim with nothing behind it.

Four questions

Laid over the cells, a familiar standard turns each into a question. The at-rest column asks what should exist: is the capability declared, is the function defined. The in-motion column asks what actually runs: is the value stream delivering, is the process performing. The first two answers come from a document. The last two come from looking.

NIST fits cleanly. Its functions, broad outcomes like Identify, Protect and Detect, map onto the strategic row. Its categories map onto the operational row. Its two profiles draw the same column line. A Target Profile, what the organization intends, reads as the paperwork at rest. A Current Profile, what it achieves, reads as the reality in motion.

ISO fits the same way. ISO 27001, the management system, sits on the strategic row. ISO 27002, the controls, sits on the operational row. Here the audit draws the column line. A control's design falls in the at-rest column. Its operating effectiveness, shown over time, falls in the in-motion column. Between them lies existence, the check that the design is real. The audit is the verb that carries a control from one column to the other.

There is one catch, a shared word. NIST's function is the model's capability, not its function. The table keeps the levels apart.

These are the at-rest readings. In motion, the same rows give value stream and process, through NIST's Current Profile and ISO's operating-effectiveness audit.

Neither standard was bent to fit. Both already separate strategy from operations and paperwork from reality. The grid only names both splits at once. The edges are the model's alone. Realizes, serves and aggregates make the four answers trace as one.

The security finding is the distance between the columns. A Detect capability can sit in every policy while the monitoring process behind it has stalled. The at-rest cell is filled. The in-motion cell is empty. That gap is what the grid is built to surface. The paperwork is easy. The running is the question.

Organizing this is harder than naming it. The work is collective and slow. The field gets organized by many people writing carefully about what they can see clearly. This article is one small contribution to that work.

Sources cited

• The at-rest and in-motion split and the business-model and operating-model split come from the ArchiMate 3.2 Specification (The Open Group, 2022). So do the realize, serve and aggregate relationships. The value stream element was introduced in ArchiMate 3.1 (The Open Group, 2019).
• Capability mapping and capability-based planning, relating capabilities to the functions and value streams that realize and serve them, are set out in the TOGAF Standard (The Open Group), the BIZBOK Guide (Business Architecture Guild), and The Open Group's guide to capability-based planning with the TOGAF and ArchiMate Standards.
• The Functions, Categories and Subcategories, and the Current and Target Profiles, are from the NIST Cybersecurity Framework 2.0 (NIST, 2024).
• The management system, controls and audit terms are from ISO/IEC 27001 and ISO/IEC 27002. Design, existence and operating effectiveness are standard audit practice.