| Table of Contents | ||
|---|---|---|
|
...
Overview
What is the Risk Management Domain?
...
Organizations should plan for these evolutions by maintaining clean taxonomies and clear relationship models in their current implementation.
Conclusion
The Risk Management Domain extends the Orthogramic Metamodel with a robust framework for modeling and managing risk-related aspects of business architecture. By providing structured schemas for risk profiles, assessments, controls, responses, and monitoring approaches, it enables organizations to systematically align their capabilities, value streams, and strategies with risk management objectives.
...
Organizations can use this domain to develop a more comprehensive understanding of their risk landscape, implement effective controls, and ensure that strategic initiatives properly account for risk factors in design and execution.
Risk Management Domain Schema
Cross-Domain Relationship Mappings
...
Example Implementation
Example: Cybersecurity Risk Profile Analysis
| Code Block |
|---|
{
"$schemariskID": "http://json-schema.org/draft-07/schema#RISK-CYBER-001",
"title": "Risk-Strategy Relationship SchemaCritical Data Breach Risk",
"description": "Schema for relationships between Risk Management domain and Strategy domain",
"type": "object",
"required": ["relationshipID", "riskID", "title", "relationshipType"]The risk of unauthorized access to or exfiltration of sensitive customer and financial data through external cyberattack or internal compromise, resulting in regulatory sanctions, financial loss, and reputational damage.",
"riskCategory": "technology",
"propertiesorgUnitTitle": {"Information Security Department",
"relationshipIDorgUnitRoles": {["Chief Information Security Officer", "Security Operations Manager", "type": "string"Data Protection Officer"],
"riskSource": "external",
"descriptionriskOwner": "UniqueChief identifierInformation forSecurity this relationshipOfficer",
},"riskProbability": {
"riskIDlevel": {"moderate",
"typenumericValue": "string",
0.35,
"descriptionrationale": "IDBased on threat intelligence showing increased targeting of theour riskindustry, element"balanced against our enhanced security }controls",
"titletimeHorizon": {"12 months"
},
"typeriskImpact": "string",
{
"descriptionlevel": "Namesevere",
of the strategy" "financialImpact": }"$5-15 million",
"relationshipTypenonFinancialImpacts": [
{
"typeimpactType": "stringreputational",
"description": "NatureSevere damage ofto thebrand risktrust influenceand oncustomer strategyconfidence",
"enum": ["strategic-threat", "strategic-opportunityseverity",: "execution-riskhigh",
"enabler", "constraint", "context-factor", "success-factor", "other"] },
"relationshipStrength": {
"typeimpactType": "integerregulatory",
"description": "Strength of influence (1-5)Substantial fines under data protection regulations",
"minimumseverity": 1,
"maximum": 5"high"
},
"riskFactors": {
"typeimpactType": "arrayoperational",
"description": "RiskService factorsdisruption influencingduring thisincident strategyresponse",
"itemsseverity": { "medium"
}
],
"typerationale": "string"
}
Based on analysis of recent industry breaches and our specific data exposure"
},
"strategicImpactriskSeverity": {
"typelevel": "objecthigh",
"score": 16,
"descriptioncalculationMethod": "How5x5 risk impacts strategic elements",matrix combining probability and impact values"
},
"propertiesriskTolerance": {
"impactDescriptiontoleranceLevel": {"low",
"thresholds": [
"type": "string", {
"descriptionmetricName": "DescriptionSecurity incidents ofinvolving impactPII",
}"thresholdValue": "0",
"impactSeverityresponseRequired": {
"Immediate executive notification and investigation"
},
"type": "string", {
"descriptionmetricName": "SeverityFailed ofsecurity impacttests",
"enumthresholdValue": ["minimal>5%",
"moderate", "significant", "severe", "critical"]
"responseRequired": "Security remediation within 48 hours"
},
],
"potentialOutcomesrationale": {"Given regulatory requirements and potential reputational impact"
},
"typeriskStatus": "arraymitigated",
"mitigationStrategy": {
"descriptionapproachType": "Possible strategic outcomesreduce",
"description": "Comprehensive cybersecurity program including advanced "items": {
threat protection, security monitoring, encryption, access controls, and security awareness training",
"typeexpectedOutcome": "string"Reduce likelihood of successful breach while maintaining detection capabilities",
} "implementationStatus": "implemented"
},
"residualRisk": {
} }"level": "moderate",
"strategicObjectivesacceptableLevel": {
true,
"typedescription": "array",Remaining risk primarily related to zero-day vulnerabilities "description": "Strategic objectives affected by risk",
and sophisticated threat actors",
"itemsadditionalControls": {[
"Investigating "type": "object",additional advanced endpoint protection",
"Enhancing threat hunting capabilities"properties":
{ ]
},
"objectiveIDcontrolEffectiveness": {
"level": "effective",
"typelastAssessment": "string2025-03-15",
"improvementNeeds": [
"description": "ID of strategic objective"Strengthen third-party security assessment process",
"Enhance cloud security monitoring"
}, ]
},
"riskImpactreviewFrequency": {"quarterly",
"lastReviewDate": "2025-04-01",
"nextReviewDate": "2025-07-01",
"typeregulatoryImplications": "string",[
{
"descriptionregulationType": "How risk impacts this objective"Data Protection",
"regulationName": "GDPR",
}, "implications": "Breach notification requirements and potential fines "importanceLevel": {
up to 4% of global revenue",
"typecomplianceStatus": "string"compliant"
},
{
"descriptionregulationType": "Importance to objectiveFinancial",
"enumregulationName": ["minorPCI-DSS",
"moderate", "significant", "critical"] "implications": "Requirements for securing payment card data",
} "complianceStatus": "compliant"
} }
}],
"riskAdjustmentsstrategicImplications": {
"typeoverallImpact": "arraymixed",
"descriptionaffectedObjectives": [
"Strategic adjustments made for risk", {
"itemsobjectiveID": {"STRAT-DIGITAL-003",
"typeimpactDescription": "objectRisk considerations require adjustment to cloud migration timeline",
"propertiesimpactSeverity": {"moderate"
},
"adjustmentDescription": { {
"typeobjectiveID": "stringSTRAT-CUSTOMER-002",
"descriptionimpactDescription": "DescriptionEnhanced ofsecurity adjustment"measures could create friction in customer experience",
}, "impactSeverity": "minor"
"adjustmentType": {}
]
},
"typeemergingFactors": "string",[
{
"descriptionfactorName": "TypeAI-Enhanced ofCyber adjustmentThreats",
"description": "Increasing sophistication of attacks "enum": ["scope-change", "timeline-adjustment", "resource-increase", "goal-modification", "approach-change", "other"]
using AI to evade detection",
"potentialImpact": "Could increase probability of successful breach",
"timeHorizon": "medium-term",
"monitoringApproach": "Threat intelligence subscription and quarterly assessment"
},
{
"effectivenessfactorName": {"Extended Supply Chain Exposure",
"typedescription": "string",
Increasing integration with third-party systems expanding attack surface",
"descriptionpotentialImpact": "Effectiveness of adjustmentNew vectors for data compromise",
"timeHorizon": "immediate",
"enummonitoringApproach": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]"Third-party security assessment program"
}
],
}"relatedRisks": [
{
} "riskID": "RISK-TECH-005",
}
}, "riskAppetiterelationshipType": {"contributor",
"typerelationshipStrength": "object"4,
"description": "StrategicLegacy riskSystem appetite",Maintenance Risk contributes to cybersecurity "propertiesvulnerabilities":
{ },
"appetiteLevel": {
"typeriskID": "stringRISK-COMP-002",
"descriptionrelationshipType": "Levelconsequence",
of risk appetite", "relationshipStrength": 5,
"enumdescription": ["averse", "minimalist", "cautious", "open", "seeking"]
Data breach would trigger Regulatory Compliance Risk"
},
],
"appetiteJustificationkeyRiskIndicators": {[
{
"typeindicatorName": "stringSecurity Incidents",
"description": "Reason for this appetite level"Number of security incidents detected per month",
},
"currentValue": "12",
"variationByObjectivethreshold": {
"25",
"typetrend": "arraystable",
"descriptionmonitoringFrequency": "Howdaily"
appetite varies by objective"},
{
"itemsindicatorName": {"Vulnerability Remediation Time",
"typedescription": "object",Average time to remediate critical vulnerabilities",
"propertiescurrentValue": {
"1.8 days",
"objectiveID"threshold": {"3 days",
"trend": "improving",
"typemonitoringFrequency": "stringweekly",
},
{
"descriptionindicatorName": "IDPhishing Simulation ofSuccess objectiveRate",
"description": "Percentage of employees clicking on simulated phishing }emails",
"currentValue": "4.2%",
"specificAppetitethreshold": {"5%",
"trend": "stable",
"typemonitoringFrequency": "stringmonthly",
}
],
"descriptiondependencies": "Specific[
appetite for this objective", {
"dependencyType": "Critical",
"enumdomainType": ["averseCapability", "minimalist",
"cautiousentityID",: "openCAP-SECOPS-001", "seeking"]
"description": "Security Operations capability"
},
{
}"dependencyType": "Important",
"domainType": "Information",
} "entityID": "INFO-DATA-003",
} "description": "Customer Data Security Classification }Framework"
},
],
"strategicMonitoringdocumentationReferences": [
{
"typedocumentName": "objectInformation Security Policy",
"descriptiondocumentLocation": "HowPolicy risk is monitored in strategyrepository (IS-POL-001)",
"propertiesdocumentType": {"policy",
"monitoringApproachdocumentDate": {"2024-12-15"
},
"type": "string",
{
"descriptiondocumentName": "HowAnnual riskCybersecurity isRisk tracked strategically"
},
Assessment",
"keyIndicatorsdocumentLocation": {"Risk repository (RISK-RPT-2025-01)",
"typedocumentType": "arrayassessment",
"descriptiondocumentDate": "2025-02-28"Strategic
indicators being tracked", }
]
}
|
Risk Management Domain Schema
Cross-Domain Relationship Mappings
Risk-Strategy Relationship Schema
| Code Block |
|---|
{ "items$schema": { "http://json-schema.org/draft-07/schema#", "title": "Risk-Strategy Relationship Schema", "typedescription": "string"Schema for relationships between Risk Management domain and Strategy domain", } "type": "object", "required": ["relationshipID", "riskID", }"title", "relationshipType"], "properties": { "reviewFrequencyrelationshipID": { "type": "string", "description": "Unique identifier for "description":this relationship"How often strategic risk is reviewed"}, "riskID": { "enumtype": ["monthlystring", "quarterlydescription",: "semi-annually", "annually", "event-driven"] } }ID of the risk element" }, "contingencyPlanstitle": { "type": "arraystring", "description": "Strategic contingencies for risk events", Name of the strategy" }, "itemsrelationshipType": { "type": "objectstring", "propertiesdescription": "Nature {of the risk influence on strategy", "scenarioDescriptionenum": { "type": "string", ["strategic-threat", "strategic-opportunity", "execution-risk", "enabler", "constraint", "context-factor", "success-factor", "other"] }, "relationshipStrength": { "description "type": "Risk scenariointeger", "description": "Strength of }, influence (1-5)", "contingencyApproachminimum": {1, "maximum": 5 "type": "string"}, "riskFactors": { "descriptiontype": "array"Planned, response" "description": "Risk factors influencing this }strategy", "triggerConditionsitems": { "type": "string", } }, "description": "What activates contingency"strategicImpact": { "type": "object", } "description": "How risk impacts }strategic elements", } "properties": { } } } |
Risk-Capability Relationship Schema
| Code Block |
|---|
{ "$schemaimpactDescription": "http://json-schema.org/draft-07/schema#", { "title": "Risk-Capability Relationship Schema", "descriptiontype": "string"Schema for, relationships between Risk Management domain and Capability domain", "typedescription": "object",Description of impact" "required": ["relationshipID", "riskID", "title", "relationshipType"] }, "properties": { "relationshipIDimpactSeverity": { "type": "string", "description": "Unique identifier for this relationship"Severity of impact", "enum": ["minimal", "moderate", "significant", "severe", "critical"] }, "riskIDpotentialOutcomes": { "type": "stringarray", "description": "IDPossible ofstrategic theoutcomes", risk element" }, "titleitems": { "type": "string", } } "description": "Name of the capability"} }, "relationshipTypestrategicObjectives": { "type": "stringarray", "description": "NatureStrategic objectives ofaffected theby relationshiprisk", "enumitems": ["risk-to-capability", "capability-to-risk", "mitigating-capability", "risk-generating-capability", "impacted-capability", "interdependent", "other"] { "type": "object", "properties": { }, "relationshipStrengthobjectiveID": { "type": "integerstring", "description": "ImportanceID of this relationship (1-5)", strategic objective" "minimum": 1, "maximum": 5}, }, "riskImpact": { "type": "objectstring", "description": "How risk impacts this capabilityobjective", "properties": { }, "impactDescription "importanceLevel": { "type": "string", "description": "DescriptionImportance ofto impactobjective", }, "enum": ["minor", "moderate", "significant", "impactSeveritycritical":] { } "type": "string", } "description": "Severity of impact",} }, "enumriskAdjustments": ["minimal", "moderate", "significant", "severe", "critical"]{ "type": "array", "description": "Strategic adjustments },made for risk", "impactScenariositems": { "type": "arrayobject", "descriptionproperties": "Specific impact scenarios",{ "itemsadjustmentDescription": { "type": "string", } "description": "Description of adjustment" } }, }, "capabilityControlsadjustmentType": { "type": "arraystring", "description": "ControlsType within capability addressing riskof adjustment", "items": { "enum": ["scope-change", "timeline-adjustment", "resource-increase", "typegoal-modification":, "objectapproach-change", "other"] "properties": { }, "controlDescriptioneffectiveness": { "type": "string", "description": "DescriptionEffectiveness of controladjustment", }"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"] "controlEffectiveness": { } } "type": "string", } }, "descriptionriskAppetite": "How{ well control works", "type": "object", "enumdescription": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]Strategic risk appetite", "properties": { }, "implementationStatusappetiteLevel": { "type": "string", "description": "StatusLevel of risk implementationappetite", "enum": ["not-implementedaverse", "planningminimalist", "in-progresscautious", "implementedopen", "verifiedseeking"] }, } "appetiteJustification": { } } }"type": "string", "capabilityGaps": { "typedescription": "array",Reason for this appetite level" "description": "Capability gaps}, increasing risk", "itemsvariationByObjective": { "type": "objectarray", "propertiesdescription": { "How appetite varies by objective", "gapDescriptionitems": { "type": "stringobject", "descriptionproperties": "Description of gap"{ }, "objectiveID": { "riskContribution": { "type": "string", "description": "ID of objective"How gap contributes to risk" }, "remediationspecificAppetite": { "type": "string", "description": "PlanSpecific appetite tofor addressthis gapobjective", } "enum": ["averse", "minimalist", "cautious", "open", "seeking"] } } }, "performanceMetrics": { } "type": "array", } "description": "Metrics for measuring risk} impact on capability", }, "itemsstrategicMonitoring": { "type": "object", "description": "How risk is monitored in strategy", "properties": { "metricNamemonitoringApproach": { "type": "string", "description": "NameHow ofrisk metric"is tracked strategically" }, "metricDescriptionkeyIndicators": { "type": "stringarray", "description": "WhatStrategic metricindicators measures" }being tracked", "currentValueitems": { "type": "string", "description": "Current measurement" } }, "targetValuereviewFrequency": { "type": "string", "description": "Target value"How often strategic risk is reviewed", "enum": ["monthly", "quarterly", "semi-annually", }"annually", "event-driven"] } } }, "improvementInitiativescontingencyPlans": { "type": "array", "description": "Initiatives to improve capabilityStrategic contingencies for risk managementevents", "items": { "type": "object", "properties": { "initiativeDescriptionscenarioDescription": { "type": "string", "description": "DescriptionRisk of initiativescenario" }, "expectedOutcomecontingencyApproach": { "type": "string", "description": "AnticipatedPlanned resultresponse" }, "statustriggerConditions": { "type": "string", "description": "CurrentWhat activates statuscontingency", } "enum": ["proposed", "approved", "in-progress", "completed", "canceled"] } } } }, "dependencyRisks": { "type": "array", "description": "Risks arising from capability dependencies", "items": { "type": "object", "properties": { "dependencyType": { "type": "string", "description": "Type of dependency" }, "dependentEntity": { "type": "string", "description": "What capability depends on" }, "riskScenario": { "type": "string", "description": "Risk scenario created by dependency" } } } } } } |
Strategic Response Model Integration
Risk-Related Rationales Schema
| Code Block |
|---|
{ "$schema": "http://json-schema.org/draft-07/schema#", "title": "Risk-Related Rationales Schema", "description": "Schema for risk-related rationales in the Strategic Response Model", "type": "object", "required": ["rationaleID", "rationaleTitle", "description", "triggerReference"], "properties": { "rationaleID": { "type": "string", "description": "Unique identifier for the rationale" }, "rationaleTitle": { "type": "string", "description": "Title or summary of the rationale" }, "description": { "type": "string", "description": "Detailed explanation supporting a strategic response" }, "triggerReference": { "type": "string", "description": "Primary trigger this rationale responds to" }, "triggerReferences": { "type": "array", "description": "Optional multiple triggers this rationale addresses", "items": { "type": "string" } }, "riskIDs": { "type": "array", "description": "Risks this rationale relates to", "items": { "type": "string" } }, "linkedDomains": { "type": "array", "description": "Business architecture domains influenced or justified by this rationale", "items": { "type": "string", "enum": ["Risk", "Strategy", "Capability", "Product", "Service", "Value_Stream", "Performance", "Information", "Organization", "Initiative", "Customer", "Market", "Finance"] } }, "rationaleType": { "type": "string", "description": "The justification type for this rationale", "enum": ["Risk_Prevention", "Risk_Mitigation", "Risk_Transfer", "Risk_Acceptance", "Control_Enhancement", "Response_Planning", "Opportunity_Exploitation", "Compliance_Management"] }, "rationaleOrientation": { "type": "string", "description": "Whether the rationale is responding to existing conditions or anticipating future conditions", "enum": ["Reactive", "Proactive"] }, "riskInsightSource": { "type": "string", "description": "Source of risk insights supporting this rationale", "enum": ["Risk_Assessment", "Incident_Analysis", "Control_Monitoring", "Audit_Finding", "Industry_Intelligence", "Scenario_Analysis", "Expert_Judgment"] }, "anticipatedOutcomes": { "type": "array", "description": "For proactive rationales, the expected benefits or outcomes", "items": { "type": "string" } }, "alternativesConsidered": { "type": "array", "description": "Other risk approaches that were evaluated but not selected", "items": { "type": "object", "properties": { "alternativeID": { "type": "string", "description": "Identifier for the alternative" }, "alternativeDescription": { "type": "string", "description": "Description of the alternative approach" }, "riskImplications": { "type": "string", "description": "Risk implications of this alternative" }, "reasonForRejection": { "type": "string", "description": "Why this approach wasn't selected" } } } }, "reasoningPattern": { "type": "string", "description": "The logical structure of the rationale", "enum": ["Risk_Based", "Control_Effectiveness", "Cost_Benefit", "Compliance_Based", "Threat_Assessment", "Vulnerability_Based", "Impact_Analysis"] }, "evidenceBase": { "type": "string", "description": "The foundation for the rationale", "enum": ["Risk_Data", "Control_Testing", "Incident_History", "External_Intelligence", "Compliance_Requirements", "Expert_Opinion", "Quantitative_Analysis"] }, "businessValueType": { "type": "string", "description": "The nature of value creation or preservation", "enum": ["Loss_Prevention", "Damage_Limitation", "Reputation_Protection", "Compliance_Assurance", "Operational_Resilience", "Strategic_Protection", "Opportunity_Enabling"] }, "riskImpactAssessment": { "type": "object", "description": "Assessment of risk implications", "properties": { "impactType": { "type": "string", "description": "Type of risk impact", "enum": ["financial", "operational", "strategic", "reputational", "compliance", "multiple"] }, "impactSeverity": { "type": "string", "description": "Severity of impact if not addressed", "enum": ["minimal", "moderate", "significant", "severe", "critical"] }, "impactLikelihood": { "type": "string", "description": "Likelihood of impact if not addressed", "enum": ["very-low", "low", "moderate", "high", "very-high"] }, "confidenceLevel": { "type": "integer", "description": "Confidence in assessment (1-5)", "minimum": 1, "maximum": 5 } } }, "dateCreated": { "type": "string", "format": "date", "description": "The date the rationale was first recorded" }, "lastReviewed": { "type": "string", "format": "date", "description": "The most recent date of rationale review" }, "effectivenessRating": { "type": "integer", "description": "Optional evaluation of rationale effectiveness (1-5)", "minimum": 1, "maximum": 5 }, "author": { "type": "string", "description": "The person or team who documented the rationale" }, "orgUnitTitle": { "type": "string", "description": "The organisational unit that owns or authored the rationale" }, "relatedRationales": { "type": "array", "description": "References to other related rationales", "items": { "type": "string" } } } } |
Risk-
...
Capability Relationship Schema
| Code Block |
|---|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-RelatedCapability StrategicRelationship Responses Schema",
"description": "Schema for risk-relatedrelationships strategicbetween responsesRisk inManagement thedomain Strategicand ResponseCapability Modeldomain",
"type": "object",
"required": ["responseIDrelationshipID", "responseTitleriskID", "responseDescriptiontitle", "triggerReferences", "rationaleReferencesrelationshipType"],
"properties": {
"responseIDrelationshipID": {
"type": "string",
"description": "A uniqueUnique identifier for thethis strategic responserelationship"
},
"responseTitleriskID": {
"type": "string",
"description": "AID conciseof title summarizing the strategicrisk responseelement"
},
"responseTypetitle": {
"type": "string",
"description": "The classificationName of the response",capability"
},
"relationshipType": {
"enumtype": ["Risk_Preventionstring",
"Risk_Mitigation", "Risk_Transfer", "Risk_Acceptance", "Control_Enhancement", "Incident_Response", "Business_Continuity", "Compliance_Program", "Risk_Governance "description": "Nature of the relationship",
"enum": ["risk-to-capability", "capability-to-risk", "mitigating-capability", "risk-generating-capability", "impacted-capability", "interdependent", "other"]
},
"responseDescriptionrelationshipStrength": {
"type": "stringinteger",
"description": "Importance of this relationship "A detailed explanation of the strategic response, its objectives, and scope"(1-5)",
"minimum": 1,
"maximum": 5
},
"riskIDsriskImpact": {
"type": "arrayobject",
"description": "RiskHow elementsrisk thisimpacts response addressescapability",
"itemsproperties": {
"typeimpactDescription": "string"{
} },
"type": "string",
"triggerReferences": { "typedescription": "array",Description "description": "An array of triggerIDs that initiated this strategic response",of impact"
},
"itemsimpactSeverity": {
"type": "string",
} },
"description": "Severity of impact",
"rationaleReferences": { "typeenum": ["arrayminimal", "moderate", "significant", "description": "An array of rationaleIDs providing justification for this response","severe", "critical"]
},
"itemsimpactScenarios": {
"type": "stringarray",
} },
"performanceIndicatorReferences"description": {"Specific impact scenarios",
"type": "array", "descriptionitems": "Metrics{
or KPIs that will be used to measure the success of the strategic response","type": "string"
"items": { }
"type": "string" }
}
},
"riskOutcomescapabilityControls": {
"type": "array",
"description": "SpecificControls riskwithin managementcapability outcomes resulting from this responseaddressing risk",
"items": {
"type": "object",
"properties": {
"outcomeDescriptioncontrolDescription": {
"type": "string",
"description": "Description of risk outcomecontrol"
},
"targetRiskLevelcontrolEffectiveness": {
"type": "string",
"description": "DesiredHow riskwell levelcontrol after responseworks",
"enum": ["very-lowineffective", "lowpartially-effective", "moderateeffective", "highhighly-effective", "verynot-highassessed"]
},
"measurementApproachimplementationStatus": {
"type": "string",
"description": "Status of implementation",
"enum": ["not-implemented"How outcome will be measured", "planning", "in-progress", "implemented", "verified"]
}
}
}
},
"implementedControlscapabilityGaps": {
"type": "array",
"description": "RiskCapability controlsgaps implemented by this responseincreasing risk",
"items": {
"type": "object",
"properties": {
"controlNamegapDescription": {
"type": "string",
"description": "NameDescription of controlgap"
},
"controlDescriptionriskContribution": {
"type": "string",
"description": "Description of controlHow gap contributes to risk"
},
"controlTyperemediation": {
"type": "string",
"description": "TypePlan to ofaddress controlgap",
"enum": ["preventive", "detective", "corrective", "directive", "other"]}
}
},
},
"implementationStatusperformanceMetrics": {
"type": "stringarray",
"description": "StatusMetrics offor implementation",measuring risk impact on capability",
"enumitems": ["planned", "in-progress", "implemented", "effective", "ineffective"]{
}"type": "object",
"properties": }{
} },"metricName": {
"affectedDomains": { "type": "arraystring",
"description": "Name of metric"A
list of business architecture domains impacted by this response"},
"itemsmetricDescription": {
"type": "string",
"enumdescription": ["Risk", "Strategy", "Capability", "Product", "Service", "Value_Stream", "Performance", "Information", "Organization", "Initiative", "Customer", "Market", "Finance"]
What metric measures"
},
} },
"currentValue": {
"implementationPlan": { "type": "objectstring",
"description": "PlanCurrent outliningmeasurement"
how the response will be executed", },
"properties": { "phaseApproachtargetValue": {
"type": "string",
"description": "Phasing of implementation"
Target value"
}
}
},
},
"keyActivitiesimprovementInitiatives": {
"type": "array",
"description": "MajorInitiatives implementationto activities",improve capability for risk management",
"items": {
"type": "stringobject",
"properties": {
} }, "resources"initiativeDescription": {
"type": "string",
"description": "Resources required for implementation"Description of initiative"
},
"governanceStructureexpectedOutcome": {
"type": "string",
"description": "GovernanceAnticipated result"
over implementation" },
} },"status": {
"riskMonitoring": { "type": "arraystring",
"description": "Ongoing risk monitoring approachesCurrent status",
"items": { "enum": ["proposed", "approved", "in-progress", "typecompleted":, "object",canceled"]
}
}
"properties": { }
},
"monitoringMethoddependencyRisks": {
"type": "array",
"typedescription": "string",Risks arising from capability dependencies",
"items": {
"descriptiontype": "Method for monitoringobject",
},"properties": {
"keyIndicatorsdependencyType": {
"type": "arraystring",
"description": "IndicatorsType beingof monitored",dependency"
},
"itemsdependentEntity": {
"type": "string",
"description": "What capability depends }on"
},
"frequencyriskScenario": {
"type": "string",
"description": "HowRisk oftenscenario monitoringcreated occurs",
"enum": ["continuous", "daily", "weekly", "monthly", "quarterly", "annually", "event-driven"]by dependency"
}
}
}
},
}
"expectedOutcomes": }
|
Strategic Response Model Integration
Risk-Related Strategic Responses Schema
| Code Block |
|---|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"typetitle": "string",
Risk-Related Strategic Responses Schema",
"description": "ASchema descriptionfor ofrisk-related thestrategic anticipatedresponses resultsin orthe benefitsStrategic from implementing the response"
},
Response Model",
"responsibleOrgUnitstype": {"object",
"typerequired": ["arrayresponseID", "description": "Organisation units accountable for executing the strategic response",
"responseTitle", "responseDescription", "triggerReferences", "rationaleReferences"],
"properties": {
"itemsresponseID": {
"type": "string",
}
},
"startDate": {
"description": "A unique identifier for the strategic response"
},
"typeresponseTitle": "string",{
"formattype": "datestring",
"description": "TheA plannedconcise start date for implementingtitle summarizing the strategic response"
},
"endDateresponseType": {
"type": "string",
"formatdescription": "dateThe classification of the response",
"descriptionenum": "The planned completion date for the strategic response"["Risk_Prevention", "Risk_Mitigation", "Risk_Transfer", "Risk_Acceptance", "Control_Enhancement", "Incident_Response", "Business_Continuity", "Compliance_Program", "Risk_Governance"]
},
"statusresponseDescription": {
"type": "string",
"description": "TheA currentdetailed statusexplanation of the strategic response", "enum": ["Planned", "In_Progress", "Completed", "Deferred", "Cancelled"]
its objectives, and scope"
},
"lastUpdatedriskIDs": {
"type": "string",
"format": "date"array",
"description": "TheRisk date when the strategicelements this response record was last updated"
addresses",
}, "residualRiskAssessmentitems": {
"type": "string",
"description": "Assessment of risk remaining after response implementation"
}
},
"strategicThemestriggerReferences": {
"type": "array",
"description": "An array of strategic prioritiestriggerIDs that initiated this initiativestrategic supportsresponse",
"items": {
"type": "string"
}
},
} }
|
Example Implementation
Example: Cybersecurity Risk Profile Analysis
| Code Block |
|---|
{ "rationaleReferences": { "riskIDtype": "RISK-CYBER-001array", "titledescription": "CriticalAn array Dataof BreachrationaleIDs Risk",providing justification for "description":this response"The, risk of unauthorized access to or exfiltration of sensitive customer and financial data through external cyberattack or internal compromise, resulting in regulatory sanctions, financial loss, and reputational damage.", "riskCategory": "technology", "orgUnitTitle": "Information Security Department", "orgUnitRoles": ["Chief Information Security Officer", "Security Operations Manager", "Data Protection Officer"], "riskSource": "external", "riskOwner": "Chief Information Security Officer", "riskProbability"items": { "type": "string" } }, "performanceIndicatorReferences": { "type": "array", "description": "Metrics or KPIs that will be used to measure the success of the strategic response", "items": { "leveltype": "moderate", string" } "numericValue": 0.35 }, "rationaleriskOutcomes": { "Based on threat intelligence showing increased targeting of our industry, balanced against our enhanced security controls", "timeHorizon": "12 months" }, "riskImpact": {"type": "array", "description": "Specific risk management outcomes resulting from this response", "items": { "leveltype": "severeobject", "financialImpactproperties": "$5-15 million", { "nonFinancialImpactsoutcomeDescription": [{ { "impactTypetype": "reputationalstring", "description": "SevereDescription damageof torisk brandoutcome" trust and customer confidence", }, "severity": "high" }, "targetRiskLevel": { { "impactTypetype": "regulatorystring", "description": "SubstantialDesired finesrisk underlevel dataafter protection regulationsresponse", "enum": ["very-low", "low", "severitymoderate":, "high", "very-high"] }, }, { "impactTypemeasurementApproach": "operational", { "descriptiontype": "string"Service, disruption during incident response", "severitydescription": "mediumHow outcome will be measured" } } ], "rationale": "Based on analysis} of recent industry breaches and our specific} data exposure" }, "riskSeverityimplementedControls": { "leveltype": "higharray", "score": 16, "calculationMethoddescription": "5x5Risk riskcontrols matriximplemented combiningby probabilitythis andresponse", impact values" }, "riskToleranceitems": { "toleranceLeveltype": "lowobject", "thresholds": [ "properties": { { "metricNamecontrolName": { "Security incidents involving PII", "thresholdValuetype": "0string", "responseRequireddescription": "Name of control"Immediate executive notification and investigation" }, "controlDescription": { "metricNametype": "string"Failed, security tests", "thresholdValuedescription": ">5%",Description of control" "responseRequired": "Security remediation within 48 hours"}, "controlType": { } ], "rationaletype": "string"Given, regulatory requirements and potential reputational impact" }, "riskStatusdescription": "mitigated",Type of control", "mitigationStrategy": { "approachTypeenum": ["reducepreventive", "detective", "corrective", "directive", "descriptionother":] "Comprehensive cybersecurity program including advanced threat protection, security monitoring, encryption}, access controls, and security awareness training", "expectedOutcomeimplementationStatus": "Reduce{ likelihood of successful breach while maintaining detection capabilities", "implementationStatustype": "implementedstring", }, "residualRisk": { "leveldescription": "moderateStatus of implementation", "acceptableLevel": true, "descriptionenum": ["Remaining risk primarily related to zero-day vulnerabilities and sophisticated threat actors", planned", "in-progress", "implemented", "effective", "ineffective"] "additionalControls": [ } "Investigating additional advanced endpoint protection", } "Enhancing threat hunting capabilities" } ] }, "controlEffectivenessaffectedDomains": { "leveltype": "effectivearray", "lastAssessmentdescription": "2025-03-15A list of business architecture domains impacted by this response", "improvementNeedsitems": [{ "Strengthen third-party security assessment process "type": "string", "Enhance cloud security monitoring" ] }, "reviewFrequency": "quarterly", "lastReviewDate": "2025-04-01", "nextReviewDate": "2025-07-01", "regulatoryImplications": [ { "enum": ["Risk", "Strategy", "Capability", "Product", "Service", "Value_Stream", "Performance", "Information", "Organization", "Initiative", "Customer", "Market", "Finance"] } }, "regulationTypeimplementationPlan": "Data Protection", { "regulationNametype": "GDPRobject", "implicationsdescription": "Breach notification requirements and potential fines up to 4% of global revenue",Plan outlining how the response will be executed", "properties": { "complianceStatusphaseApproach": "compliant" { }, "type": "string", { "regulationTypedescription": "Financial",Phasing of implementation" }, "regulationNamekeyActivities": "PCI-DSS",{ "implicationstype": "Requirements for securing payment card data",array", "complianceStatusdescription": "compliantMajor implementation activities", } ], "strategicImplicationsitems": { "overallImpact": "mixed", "affectedObjectivestype": "string" [ { } "objectiveID": "STRAT-DIGITAL-003" }, "impactDescriptionresources": "Risk{ considerations require adjustment to cloud migration timeline", "impactSeveritytype": "moderatestring", }, "description": "Resources required {for implementation" "objectiveID": "STRAT-CUSTOMER-002" }, "impactDescription": "Enhanced security measures could create friction in customer experience",governanceStructure": { "type": "string", "impactSeveritydescription": "minor"Governance over implementation" } } ] }, "emergingFactorsriskMonitoring": [ { "factorNametype": "AI-Enhanced Cyber Threatsarray", "description": "IncreasingOngoing sophisticationrisk of attacks using AI to evade detectionmonitoring approaches", "potentialImpactitems": "Could{ increase probability of successful breach", "timeHorizontype": "medium-termobject", "monitoringApproachproperties": { "Threat intelligence subscription and quarterly assessment" "monitoringMethod": { }, { "factorNametype": "string"Extended, Supply Chain Exposure", "description": "Increasing integration with third-party systems expanding attack surface",Method for monitoring" }, "potentialImpactkeyIndicators": { "New vectors for data compromise", "timeHorizontype": "immediatearray", "monitoringApproachdescription": "Third-party security assessment program"Indicators being monitored", } ], "relatedRisksitems": [ { "riskID": "RISK-TECH-005", "relationshipTypetype": "contributorstring", "relationshipStrength": 4, "description": "Legacy System} Maintenance Risk contributes to cybersecurity vulnerabilities" }, { "riskIDfrequency": "RISK-COMP-002", { "relationshipTypetype": "consequencestring", "relationshipStrength": 5, "description": "Data breach would trigger Regulatory Compliance Risk"How often monitoring occurs", } ], "keyRiskIndicators": ["enum": ["continuous", "daily", "weekly", "monthly", "quarterly", "annually", "event-driven"] { } "indicatorName": "Security Incidents", } "description": "Number of security incidents} detected per month", }, "currentValueexpectedOutcomes": "12",{ "thresholdtype": "25string", "trenddescription": "stable", "monitoringFrequency": "dailyA description of the anticipated results or benefits from implementing the response" }, "responsibleOrgUnits": { "indicatorNametype": "Vulnerability Remediation Timearray", "description": "Average time to remediate critical vulnerabilitiesOrganisation units accountable for executing the strategic response", "currentValueitems": { "1.8 days", "thresholdtype": "string"3 days", } "trend": "improving", }, "monitoringFrequencystartDate": "weekly"{ }, {"type": "string", "indicatorNameformat": "Phishing Simulation Success Ratedate", "description": "PercentageThe planned ofstart employeesdate clickingfor onimplementing simulatedthe phishingstrategic emailsresponse", }, "currentValueendDate": "4.2%",{ "thresholdtype": "5%string", "trendformat": "stabledate", "monitoringFrequencydescription": "monthly"The planned completion date for }the strategic response" ], "dependencies": [}, "status": { "dependencyTypetype": "Criticalstring", "domainTypedescription": "CapabilityThe current status of the strategic response", "entityIDenum": ["CAP-SECOPS-001Planned", "In_Progress", "description": "Security Operations capability""Completed", "Deferred", "Cancelled"] }, "lastUpdated": { "dependencyTypetype": "Importantstring", "domainTypeformat": "Informationdate", "entityIDdescription": "INFO-DATA-003", "description": "Customer Data Security Classification FrameworkThe date when the strategic response record was last updated" }, ], "documentationReferencesresidualRiskAssessment": [ { "documentNametype": "Information Security Policystring", "documentLocationdescription": "Policy repository (IS-POL-001)", Assessment of risk remaining after response implementation" }, "documentTypestrategicThemes": "policy",{ "documentDatetype": "2024-12-15" }array", { "description": "An array of strategic "documentName": "Annual Cybersecurity Risk Assessmentpriorities that this initiative supports", "documentLocationitems": "Risk{ repository (RISK-RPT-2025-01)", "documentTypetype": "assessmentstring", "documentDate": "2025-02-28"} } ]} } |
Risk Management Domain Schema Properties
...