| Table of Contents | ||
|---|---|---|
|
...
Overview
What is the Risk Management Domain?
...
Key risk indicators
Monitoring frequency and methods
Threshold definitions and alerts
Trend analysis approaches
Escalation pathways
Reporting structures
Implementation Guidelines
Getting Started
Begin by identifying and documenting key risk categories
Select a high-priority risk and create a detailed risk profile
Document the assessment methodology used to evaluate risks
Map major control mechanisms and their effectiveness
Define response strategies for priority risks
Best Practices
Ensure risk profiles have clear ownership and accountability
Base risk assessments on consistent and objective criteria
Update risk evaluations regularly as internal and external factors change
Connect risk elements to strategic decisions and operational capabilities
Involve multiple perspectives in risk analysis to avoid bias
Maintain a balance between risk control costs and potential impact
Common Pitfalls to Avoid
Creating overly complex risk categorization that dilutes management focus
Basing risk assessments on assumptions rather than evidence
Failing to connect risk analysis to strategic and operational domains
Not updating risk profiles as business context evolves
Focusing exclusively on risk avoidance while missing positive risk (opportunity)
Overlooking risk interdependencies and cascading effects
Schema Evolution Guidance
The Risk Management Domain schema is expected to evolve with emerging practices in risk management. Future extensions may include:
Enhanced predictive risk analytics
AI-assisted risk identification and assessment
Dynamic risk modeling capabilities
Operational resilience frameworks
Cyber and digital risk extensions
Integrated governance, risk, and compliance models
Organizations should plan for these evolutions by maintaining clean taxonomies and clear relationship models in their current implementation.
Conclusion
The Risk Management Domain extends the Orthogramic Metamodel with a robust framework for modeling and managing risk-related aspects of business architecture. By providing structured schemas for risk profiles, assessments, controls, responses, and monitoring approaches, it enables organizations to systematically align their capabilities, value streams, and strategies with risk management objectives.
The integration with the Strategic Response Model ensures that risk insights drive strategic decision-making and organizational change. This domain complements other domains by focusing on the uncertainty dimensions that affect organizational activities, providing critical context for strategic planning and operational execution.
Organizations can use this domain to develop a more comprehensive understanding of their risk landscape, implement effective controls, and ensure that strategic initiatives properly account for risk factors in design and execution.
Risk Management Domain Schema
Cross-Domain Relationship Mappings
Risk-Strategy Relationship Schema
| Code Block |
|---|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Strategy Relationship Schema",
"description": "Schema for relationships between Risk Management domain and Strategy domain",
"type": "object",
"required": ["relationshipID", "riskID", "title", "relationshipType"],
"properties": {
"relationshipID": {
"type": "string",
"description": "Unique identifier for this relationship"
},
"riskID": {
"type": "string",
"description": "ID of the risk element"
},
"title": {
"type": "string",
"description": "Name of the strategy"
},
"relationshipType": {
"type": "string",
"description": "Nature of the risk influence on strategy",
"enum": ["strategic-threat", "strategic-opportunity", "execution-risk", "enabler", "constraint", "context-factor", "success-factor", "other"]
},
"relationshipStrength": {
"type": "integer",
"description": "Strength of influence (1-5)",
"minimum": 1,
"maximum": 5
},
"riskFactors": {
"type": "array",
"description": "Risk factors influencing this strategy",
"items": {
"type": "string"
}
},
"strategicImpact": {
"type": "object",
"description": "How risk impacts strategic elements",
"properties": {
"impactDescription": {
"type": "string",
"description": "Description of impact"
},
"impactSeverity": {
"type": "string",
"description": "Severity of impact",
"enum": ["minimal", "moderate", "significant", "severe", "critical"]
},
"potentialOutcomes": {
"type": "array",
"description": "Possible strategic outcomes",
"items": {
"type": "string"
}
}
}
},
"strategicObjectives": {
"type": "array",
"description": "Strategic objectives affected by risk",
"items": {
"type": "object",
"properties": {
"objectiveID": {
"type": "string",
"description": "ID of strategic objective"
},
"riskImpact": {
"type": "string",
"description": "How risk impacts this objective"
},
"importanceLevel": {
"type": "string",
"description": "Importance to objective",
"enum": ["minor", "moderate", "significant", "critical"]
}
}
}
},
"riskAdjustments": {
"type": "array",
"description": "Strategic adjustments made for risk",
"items": {
"type": "object",
"properties": {
"adjustmentDescription": {
"type": "string",
"description": "Description of adjustment"
},
"adjustmentType": {
"type": "string",
"description": "Type of adjustment",
"enum": ["scope-change", "timeline-adjustment", "resource-increase", "goal-modification", "approach-change", "other"]
},
"effectiveness": {
"type": "string",
"description": "Effectiveness of adjustment",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
}
}
}
},
"riskAppetite": {
"type": "object",
"description": "Strategic risk appetite",
"properties": {
"appetiteLevel": {
"type": "string",
"description": "Level of risk appetite",
"enum": ["averse", "minimalist", "cautious", "open", "seeking"]
},
"appetiteJustification": {
"type": "string",
"description": "Reason for this appetite level"
},
"variationByObjective": {
"type": "array",
"description": "How appetite varies by objective",
"items": {
"type": "object",
"properties": {
"objectiveID": {
"type": "string",
"description": "ID of objective"
},
"specificAppetite": {
"type": "string",
"description": "Specific appetite for this objective",
"enum": ["averse", "minimalist", "cautious", "open", "seeking"]
}
}
}
}
}
},
"strategicMonitoring": {
"type": "object",
"description": "How risk is monitored in strategy",
"properties": {
"monitoringApproach": {
"type": "string",
"description": "How risk is tracked strategically"
},
"keyIndicators": {
"type": "array",
"description": "Strategic indicators being tracked",
"items": {
"type": "string"
}
},
"reviewFrequency": {
"type": "string",
"description": "How often strategic risk is reviewed",
"enum": ["monthly", "quarterly", "semi-annually", "annually", "event-driven"]
}
}
},
"contingencyPlans": {
"type": "array",
"description": "Strategic contingencies for risk events",
"items": {
"type": "object",
"properties": {
"scenarioDescription": {
"type": "string",
"description": "Risk scenario"
},
"contingencyApproach": {
"type": "string",
"description": "Planned response"
},
"triggerConditions": {
"type": "string",
"description": "What activates contingency"
}
}
}
}
}
}
|
Risk-Capability Relationship Schema
| Code Block |
|---|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Capability Relationship Schema",
"description": "Schema for relationships between Risk Management domain and Capability domain",
"type": "object",
"required": ["relationshipID", "riskID", "title", "relationshipType"],
"properties": {
"relationshipID": {
"type": "string",
"description": "Unique identifier for this relationship"
},
"riskID": {
"type": "string",
"description": "ID of the risk element"
},
"title": {
"type": "string",
"description": "Name of the capability"
},
"relationshipType": {
"type": "string",
"description": "Nature of the relationship",
"enum": ["risk-to-capability", "capability-to-risk", "mitigating-capability", "risk-generating-capability", "impacted-capability", "interdependent", "other"]
},
"relationshipStrength": {
"type": "integer",
"description": "Importance of this relationship (1-5)",
"minimum": 1,
"maximum": 5
},
"riskImpact": {
"type": "object",
"description": "How risk impacts capability",
"properties": {
"impactDescription": {
"type": "string",
"description": "Description of impact"
},
"impactSeverity": {
"type": "string",
"description": "Severity of impact",
"enum": ["minimal", "moderate", "significant", "severe", "critical"]
},
"impactScenarios": {
"type": "array",
"description": "Specific impact scenarios",
"items": {
"type": "string"
}
}
}
},
"capabilityControls": {
"type": "array",
"description": "Controls within capability addressing risk",
"items": {
"type": "object",
"properties": {
"controlDescription": {
"type": "string",
"description": "Description of control"
},
"controlEffectiveness": {
"type": "string",
"description": "How well control works",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
},
"implementationStatus": {
"type": "string",
"description": "Status of implementation",
"enum": ["not-implemented", "planning", "in-progress", "implemented", "verified"]
}
}
}
},
"capabilityGaps": {
"type": "array",
"description": "Capability gaps increasing risk",
"items": {
"type": "object",
"properties": {
"gapDescription": {
"type": "string",
"description": "Description of gap"
},
"riskContribution": {
"type": "string",
"description": "How gap contributes to risk"
},
"remediation": {
"type": "string",
"description": "Plan to address gap"
}
}
}
},
"performanceMetrics": {
"type": "array",
"description": "Metrics for measuring risk impact on capability",
"items": {
"type": "object",
"properties": {
"metricName": {
"type": "string",
"description": "Name of metric"
},
"metricDescription": {
"type": "string",
"description": "What metric measures"
},
"currentValue": {
"type": "string",
"description": "Current measurement"
},
"targetValue": {
"type": "string",
"description": "Target value"
}
}
}
},
"improvementInitiatives": {
"type": "array",
"description": "Initiatives to improve capability for risk management",
"items": {
"type": "object",
"properties": {
"initiativeDescription": {
"type": "string",
"description": "Description of initiative"
},
"expectedOutcome": {
"type": "string",
"description": "Anticipated result"
},
"status": {
"type": "string",
"description": "Current status",
"enum": ["proposed", "approved", "in-progress", "completed", "canceled"]
}
}
}
},
"dependencyRisks": {
"type": "array",
"description": "Risks arising from capability dependencies",
"items": {
"type": "object",
"properties": {
"dependencyType": {
"type": "string",
"description": "Type of dependency"
},
"dependentEntity": {
"type": "string",
"description": "What capability depends on"
},
"riskScenario": {
"type": "string",
"description": "Risk scenario created by dependency"
}
}
}
}
}
}
|
Strategic Response Model Integration
Risk-Related Triggers Schema
| Code Block |
|---|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Related Triggers Schema",
"description": "Schema for risk-related triggers in the Strategic Response Model",
"type": "object",
"required": ["triggerID", "label", "description", "primaryCategory"],
"properties": {
"triggerID": {
"type": "string",
"description": "Unique identifier for the trigger"
},
"label": {
"type": "string",
"description": "Short, human-readable name of the trigger"
},
"description": {
"type": "string",
"description": "Expanded explanation of the trigger's relevance"
},
"primaryCategory": {
"type": "string",
"description": "Primary classification of trigger context",
"enum": ["Risk_Event", "Control_Failure", "Risk_Level_Change", "New_Risk_Identified", "Regulatory_Change", "Risk_Appetite_Change", "Risk_Concentration", "External_Threat", "Vulnerability_Detected"]
},
"subCategory": {
"type": "string",
"description": "More specific classification within the primary category"
},
"riskID": {
"type": "string",
"description": "ID of the affected risk, if applicable"
},
"controlID": {
"type": "string",
"description": "ID of the related control, if applicable"
},
"origin": {
"type": "string",
"description": "Whether the trigger originates from inside or outside the organisation",
"enum": ["Internal", "External", "Hybrid", "Risk_Assessment", "Audit_Finding", "Control_Monitoring"]
},
"timeHorizon": {
"type": "string",
"description": "The temporal nature of the trigger",
"enum": ["Immediate", "Short_Term", "Medium_Term", "Long_Term", "Emerging_Risk"]
},
"impactLevel": {
"type": "string",
"description": "The potential significance of the trigger",
"enum": ["Low", "Medium", "High", "Critical"]
},
"detectionMethod": {
"type": "string",
"description": "How this trigger was detected",
"enum": ["Risk_Assessment", "Control_Monitoring", "Incident", "Audit", "External_Intelligence", "Stakeholder_Feedback", "Regulatory_Announcement"]
},
"evidenceStrength": {
"type": "integer",
"description": "Strength of evidence for this trigger (1-5)",
"minimum": 1,
"maximum": 5
},
"riskImpact": {
"type": "object",
"description": "Impact on risk profile",
"properties": {
"impactDescription": {
"type": "string",
"description": "Description of risk impact"
},
"affectedRiskCategories": {
"type": "array",
"description": "Categories of risk affected",
"items": {
"type": "string"
}
},
"potentialLoss": {
"type": "string",
"description": "Potential financial impact if unaddressed"
}
}
},
"detectionDate": {
"type": "string",
"format": "date",
"description": "Date when the trigger was identified"
},
"validUntil": {
"type": "string",
"format": "date",
"description": "Expected end of relevance for this trigger"
},
"sourceReference": {
"type": "string",
"description": "Reference to source document or authority identifying the trigger"
},
"relatedTriggers": {
"type": "array",
"description": "References to other related triggers",
"items": {
"type": "string"
}
},
"strategicResponseReferences": {
"type": "array",
"description": "References to related Strategic Response artefacts",
"items": {
"type": "string"
}
}
}
}
|
Risk-Related Rationales Schema
...
Conclusion
The Risk Management Domain extends the Orthogramic Metamodel with a robust framework for modeling and managing risk-related aspects of business architecture. By providing structured schemas for risk profiles, assessments, controls, responses, and monitoring approaches, it enables organizations to systematically align their capabilities, value streams, and strategies with risk management objectives.
The integration with the Strategic Response Model ensures that risk insights drive strategic decision-making and organizational change. This domain complements other domains by focusing on the uncertainty dimensions that affect organizational activities, providing critical context for strategic planning and operational execution.
Organizations can use this domain to develop a more comprehensive understanding of their risk landscape, implement effective controls, and ensure that strategic initiatives properly account for risk factors in design and execution.
Example Implementation
Example: Cybersecurity Risk Profile Analysis
| Code Block |
|---|
{ "riskID": "RISK-CYBER-001", "title": "Critical Data Breach Risk", "description": "The risk of unauthorized access to or exfiltration of sensitive customer and financial data through external cyberattack or internal compromise, resulting in regulatory sanctions, financial loss, and reputational damage.", "riskCategory": "technology", "orgUnitTitle": "Information Security Department", "orgUnitRoles": ["Chief Information Security Officer", "Security Operations Manager", "Data Protection Officer"], "riskSource": "external", "riskOwner": "Chief Information Security Officer", "riskProbability": { "level": "moderate", "numericValue": 0.35, "rationale": "Based on threat intelligence showing increased targeting of our industry, balanced against our enhanced security controls", "timeHorizon": "12 months" }, "riskImpact": { "level": "severe", "financialImpact": "$5-15 million", "nonFinancialImpacts": [ { "impactType": "reputational", "description": "Severe damage to brand trust and customer confidence", "severity": "high" }, { "impactType": "regulatory", "description": "OptionalSubstantial multiplefines triggersunder thisdata rationaleprotection addressesregulations", "items": { "typeseverity": "stringhigh" } , }, { "riskIDs": { "typeimpactType": "arrayoperational", "description": "RisksService thisdisruption rationaleduring relatesincident toresponse", "items": { "typeseverity": "stringmedium" } }], "linkedDomainsrationale": { "type": "array", "description": "Business architecture domains influenced or justified by this rationale", Based on analysis of recent industry breaches and our specific data exposure" }, "itemsriskSeverity": { "typelevel": "stringhigh", "enumscore": ["Risk", "Strategy", "Capability", "Product", "Service", "Value_Stream", "Performance", "Information", "Organization", "Initiative", "Customer", "Market", "Finance"] } }16, "calculationMethod": "5x5 risk matrix combining probability and impact values" }, "riskTolerance": { "toleranceLevel": "low", "rationaleTypethresholds": [ { { "type": "string", "descriptionmetricName": "TheSecurity justificationincidents typeinvolving forPII", this rationale", "enumthresholdValue": ["Risk_Prevention0", "Risk_MitigationresponseRequired",: "Risk_Transfer", "Risk_Acceptance", "Control_Enhancement", "Response_Planning", "Opportunity_Exploitation", "Compliance_Management"]Immediate executive notification and investigation" }, "rationaleOrientation": { "typemetricName": "stringFailed security tests", "descriptionthresholdValue": ">5%"Whether, the rationale is responding to existing conditions or anticipating future conditions", "responseRequired": "Security remediation within 48 hours" "enum": ["Reactive", "Proactive"] } }], "riskInsightSourcerationale": { "Given regulatory requirements and potential reputational impact" }, "typeriskStatus": "stringmitigated", "descriptionmitigationStrategy": "Source{ of risk insights supporting this rationale"approachType": "reduce", "enumdescription": ["Risk_Assessment", "Incident_Analysis", "Control_Monitoring", "Audit_Finding", "Industry_Intelligence", "Scenario_Analysis", "Expert_Judgment"] }"Comprehensive cybersecurity program including advanced threat protection, security monitoring, encryption, access controls, and security awareness training", "anticipatedOutcomesexpectedOutcome": {"Reduce likelihood of successful breach while maintaining "type": "arraydetection capabilities", "descriptionimplementationStatus": "implemented"For proactive rationales}, the expected benefits or outcomes", "residualRisk": { "level": "itemsmoderate":, { "acceptableLevel": true, "typedescription": "string"Remaining risk primarily related to zero-day vulnerabilities }and sophisticated threat }actors", "alternativesConsideredadditionalControls": {[ "type": "arrayInvestigating additional advanced endpoint protection", "description": "Other risk approaches that were evaluated but not selected", Enhancing threat hunting capabilities" ] }, "itemscontrolEffectiveness": { { "typelevel": "objecteffective", "lastAssessment": "2025-03-15", "propertiesimprovementNeeds": {[ "Strengthen third-party security assessment "alternativeID": { process", "Enhance cloud security monitoring" ] }, "typereviewFrequency": "stringquarterly", "lastReviewDate": "2025-04-01", "nextReviewDate": "2025-07-01", "descriptionregulatoryImplications": "Identifier[ for the alternative" { "regulationType": "Data },Protection", "regulationName": "GDPR", "alternativeDescriptionimplications": { "Breach notification requirements and potential fines up to 4% of global revenue", "typecomplianceStatus": "string"compliant" }, { "descriptionregulationType": "Description of the alternative approach"Financial", }, "regulationName": "PCI-DSS", "riskImplicationsimplications": {"Requirements for securing payment card data", "typecomplianceStatus": "stringcompliant", } ], "descriptionstrategicImplications": { "Risk implications of this alternative""overallImpact": "mixed", "affectedObjectives": [ }, { "reasonForRejectionobjectiveID": { "STRAT-DIGITAL-003", "typeimpactDescription": "string", Risk considerations require adjustment to cloud migration timeline", "descriptionimpactSeverity": "moderate"Why this approach wasn't selected" }, { } "objectiveID": }"STRAT-CUSTOMER-002", } "impactDescription": "Enhanced security measures },could create friction in customer experience"reasoningPattern":, { "typeimpactSeverity": "stringminor", "description": "The logical structure of the rationale",} ] }, "enumemergingFactors": ["Risk_Based", "Control_Effectiveness", "Cost_Benefit", "Compliance_Based", "Threat_Assessment", "Vulnerability_Based", "Impact_Analysis"] }, { "factorName": "AI-Enhanced Cyber Threats", "evidenceBasedescription": {"Increasing sophistication of attacks using AI to "type": "stringevade detection", "descriptionpotentialImpact": "TheCould increase foundationprobability forof thesuccessful rationalebreach", "enumtimeHorizon": ["Risk_Data"medium-term", "Control_TestingmonitoringApproach",: "Incident_History", "External_Intelligence", "Compliance_Requirements", "Expert_Opinion", "Quantitative_Analysis"] },Threat intelligence subscription and quarterly assessment" }, { "factorName": "Extended Supply Chain Exposure", "businessValueTypedescription": {"Increasing integration with third-party systems expanding "type": "stringattack surface", "descriptionpotentialImpact": "TheNew naturevectors offor value creation or preservationdata compromise", "enumtimeHorizon": ["Loss_Preventionimmediate", "Damage_Limitation", "Reputation_Protection", "Compliance_Assurance", "Operational_Resilience", "Strategic_Protection", "Opportunity_Enabling"] "monitoringApproach": "Third-party security assessment program" }, ], "riskImpactAssessmentrelatedRisks": {[ "type": "object",{ "descriptionriskID": "Assessment of risk implicationsRISK-TECH-005", "propertiesrelationshipType": { "contributor", "impactTyperelationshipStrength": { 4, "typedescription": "string",Legacy System Maintenance Risk contributes to cybersecurity vulnerabilities" "description": "Type of risk impact", }, { "enumriskID": ["financialRISK-COMP-002", "operational", "strategic", "reputational", "compliance", "multiple"] "relationshipType": "consequence", }, "relationshipStrength": 5, "impactSeveritydescription": {"Data breach would trigger Regulatory "type": "string",Compliance Risk" } ], "descriptionkeyRiskIndicators": "Severity of impact if not addressed",[ { "enumindicatorName": ["minimal", "moderateSecurity Incidents", "significant", "severe", "critical"] "description": "Number of security incidents },detected per month", "impactLikelihoodcurrentValue": { "12", "threshold": "25", "typetrend": "stringstable", "descriptionmonitoringFrequency": "daily"Likelihood of impact if not addressed"}, { "enumindicatorName": ["very-low", "low", "moderate", "high", "very-high"]"Vulnerability Remediation Time", "description": "Average time to remediate critical vulnerabilities", "currentValue": }, "1.8 days", "confidenceLevelthreshold": { "3 days", "typetrend": "integerimproving", "descriptionmonitoringFrequency": "weekly"Confidence in assessment (1-5)", }, { "minimumindicatorName": 1,"Phishing Simulation Success Rate", "maximumdescription": 5"Percentage of employees clicking on simulated phishing emails", } } },"currentValue": "4.2%", "dateCreatedthreshold": {"5%", "typetrend": "stringstable", "formatmonitoringFrequency": "datemonthly", } "description": "The date the rationale was first recorded" ], "dependencies": [ { }, "lastRevieweddependencyType": {"Critical", "typedomainType": "stringCapability", "formatentityID": "dateCAP-SECOPS-001", "description": "TheSecurity most recent date of rationale reviewOperations capability" }, "effectivenessRating": { "typedependencyType": "integerImportant", "descriptiondomainType": "Optional evaluation of rationale effectiveness (1-5)Information", "minimumentityID": 1"INFO-DATA-003", "maximumdescription": 5"Customer Data Security }, "author": {Classification Framework" } "type": "string", ], "descriptiondocumentationReferences": "The person[ or team who documented the{ rationale" }, "documentName": "Information Security "orgUnitTitle": {Policy", "typedocumentLocation": "stringPolicy repository (IS-POL-001)", "descriptiondocumentType": "policy"The, organisational unit that owns or authored the rationale"documentDate": "2024-12-15" }, "relatedRationales": { "typedocumentName": "arrayAnnual Cybersecurity Risk Assessment", "descriptiondocumentLocation": "ReferencesRisk to other related rationalesrepository (RISK-RPT-2025-01)", "itemsdocumentType": { "assessment", "typedocumentDate": "string" 2025-02-28" } ] } } } |
...
Risk Management Domain Schema
Cross-Domain Relationship Mappings
| Info |
|---|
Add to JSON Schema Convert these Cross domain JSON schema snippets to tables |
Risk-Strategy Relationship Schema
| Code Block |
|---|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-RelatedStrategy Strategic ResponsesRelationship Schema",
"description": "Schema for risk-relatedrelationships strategicbetween responsesRisk inManagement thedomain Strategicand ResponseStrategy Modeldomain",
"type": "object",
"required": ["responseIDrelationshipID", "responseTitleriskID", "responseDescriptiontitle", "triggerReferences", "rationaleReferencesrelationshipType"],
"properties": {
"responseIDrelationshipID": {
"type": "string",
"description": "A uniqueUnique identifier for thethis strategic responserelationship"
},
"responseTitleriskID": {
"type": "string",
"description": "ID of the risk "A concise title summarizing the strategic responseelement"
},
"title": {
"type": "string",
"description": "Name of the strategy"
},
"responseTyperelationshipType": {
"type": "string",
"description": "The classificationNature of the response risk influence on strategy",
"enum": ["Risk_Preventionstrategic-threat", "Risk_Mitigationstrategic-opportunity", "Risk_Transferexecution-risk", "Risk_Acceptanceenabler", "Control_Enhancement", "Incident_Response", "Business_Continuity", "Compliance_Program", "Risk_Governance"]
},
"responseDescription": {
"type": "string",
"description": "A detailed explanation of the strategic response, its objectives, and scope"constraint", "context-factor", "success-factor", "other"]
},
"riskIDsrelationshipStrength": {
"type": "arrayinteger",
"description": "RiskStrength elementsof this response addressesinfluence (1-5)",
"itemsminimum": {
1,
"typemaximum": "string"
}5
},
"triggerReferencesriskFactors": {
"type": "array",
"description": "AnRisk array of triggerIDs that initiatedfactors influencing this strategic responsestrategy",
"items": {
"type": "string"
}
},
"rationaleReferencesstrategicImpact": {
"type": "arrayobject",
"description": "AnHow arrayrisk ofimpacts rationaleIDs providing justification for this responsestrategic elements",
"itemsproperties": {
"typeimpactDescription": "string"
}
},
"performanceIndicatorReferences": {{
"type": "arraystring",
"description": "MetricsDescription or KPIs that will be used to measure the success of the strategic response",of impact"
},
"itemsimpactSeverity": {
"type": "string",
} },
"description": "Severity of impact",
"riskOutcomes": { "typeenum": ["arrayminimal", "moderate", "significant", "severe", "critical"]
"description": "Specific risk management outcomes resulting from},
this response", "itemspotentialOutcomes": {
"type": "objectarray",
"propertiesdescription": { "Possible strategic outcomes",
"outcomeDescriptionitems": {
"type": "string",
}
"description": "Description of risk outcome" }
},
},
"targetRiskLevelstrategicObjectives": {
"type": "stringarray",
"description": "DesiredStrategic riskobjectives levelaffected afterby responserisk",
"items": {
"enum": ["very-low", "low", "moderatetype",: "highobject", "very-high"]
},"properties": {
"measurementApproachobjectiveID": {
"type": "string",
"description": "HowID outcomeof willstrategic be measuredobjective"
},
} }
},"riskImpact": {
"implementedControls": { "type": "arraystring",
"description": "Risk controls implemented by this response",
"items": {"description": "How risk impacts this objective"
"type": "object", },
"propertiesimportanceLevel": {
"controlNametype": {"string",
"typedescription": "stringImportance to objective",
"descriptionenum": ["minor", "moderate"Name of control", "significant", "critical"]
},
}
"controlDescription": { }
},
"typeriskAdjustments": "string", {
"type": "array",
"description": "Description of control"
Strategic adjustments made for risk",
"items": {
}, "type": "object",
"controlTypeproperties": {
"typeadjustmentDescription": "string",{
"descriptiontype": "Type of controlstring",
"enumdescription": ["preventive", "detective", "corrective", "directive", "other"]Description of adjustment"
},
"implementationStatusadjustmentType": {
"type": "string",
"description": "StatusType of implementationadjustment",
"enum": ["planned"scope-change", "timeline-adjustment", "inresource-progressincrease", "implementedgoal-modification", "effectiveapproach-change", "ineffectiveother"]
}
}
},
}, "affectedDomainseffectiveness": {
"type": "array", "descriptiontype": "A list of business architecture domains impacted by this response",
"items": {string",
"typedescription": "stringEffectiveness of adjustment",
"enum": ["Riskineffective", "Strategypartially-effective", "Capabilityeffective", "Producthighly-effective", "Service", "Value_Stream", "Performance", "Information", "Organization", "Initiative", "Customer", "Market", "Finance"]not-assessed"]
}
}
}
},
"implementationPlanriskAppetite": {
"type": "object",
"description": "PlanStrategic outlining how the response will be executedrisk appetite",
"properties": {
"phaseApproachappetiteLevel": {
"type": "string",
"description": "PhasingLevel of implementation"
},
"keyActivities": {risk appetite",
"typeenum": ["arrayaverse", "minimalist", "cautious", "open", "seeking"]
"description": "Major implementation activities"},
"itemsappetiteJustification": {
"type": "string",
"description": "Reason for this appetite }level"
},
"resourcesvariationByObjective": {
"type": "stringarray",
"description": "ResourcesHow appetite requiredvaries forby implementation"
objective",
}, "governanceStructureitems": {
"type": "stringobject",
"descriptionproperties": "Governance{
over implementation" } }
"objectiveID": {
}, "riskMonitoring": { "type": "arraystring",
"description": "Ongoing risk monitoring approaches", "itemsdescription": "ID {of objective"
"type": "object", },
"properties": { "monitoringMethodspecificAppetite": {
"type": "string",
"description": "MethodSpecific appetite for this monitoringobjective",
}, "enum": ["averse", "minimalist", "cautious", "open", "keyIndicators": {
seeking"]
}
"type": "array", }
}
"description": "Indicators being monitored", }
}
"items": { },
"strategicMonitoring": {
"type": "stringobject"
,
"description": "How risk }is monitored in strategy",
},
"properties": {
"frequencymonitoringApproach": {
"type": "string",
"description": "How risk oftenis monitoringtracked occursstrategically",
},
"enum": ["continuous", "daily", "weekly", "monthly", "quarterlykeyIndicators", "annually", "event-driven"]: {
}"type": "array",
} "description": "Strategic indicators being tracked",
} }, "expectedOutcomesitems": {
"type": "string",
"description": "A description of the anticipated results or benefits}
from implementing the response" },
"responsibleOrgUnitsreviewFrequency": {
"type": "arraystring",
"description": "Organisation units accountable for executing the strategic response",How often strategic risk is reviewed",
"itemsenum": {
["monthly", "quarterly", "semi-annually", "annually", "event-driven"]
"type": "string" }
}
},
"startDatecontingencyPlans": {
"type": "stringarray",
"formatdescription": "date",Strategic contingencies for risk events",
"items": {
"descriptiontype": "The planned start date for implementing the strategic response""object",
"properties": {
}, "endDatescenarioDescription": {
"type": "string",
"format": "date", "description": "TheRisk plannedscenario"
completion date for the strategic response" },
"statuscontingencyApproach": {
"type": "string",
"description": "The current status of the strategicPlanned response",
"enum": ["Planned", "In_Progress", "Completed", "Deferred" },
"Cancelled"] }, "lastUpdatedtriggerConditions": {
"type": "string",
"description": "What activates contingency"
"format": "date", }
"description": "The date when the strategic response record was}
last updated" },
"residualRiskAssessment":}
{ }
}
|
Risk-Capability Relationship Schema
| Code Block |
|---|
{ "type$schema": "stringhttp://json-schema.org/draft-07/schema#", "title": "Risk-Capability Relationship Schema", "description": "AssessmentSchema offor riskrelationships remainingbetween afterRisk responseManagement implementation"domain and Capability }, domain", "strategicThemestype": { "object", "typerequired": ["arrayrelationshipID", "riskID", "descriptiontitle":, "relationshipType"An], array of strategic priorities that this initiative supports", "properties": { "itemsrelationshipID": { "type": "string", "description": "Unique }identifier for this relationship" } }, } |
Example Implementation
Example: Cybersecurity Risk Profile Analysis
| Code Block |
|---|
{ "riskID": "RISK-CYBER-001", { "titletype": "string"Critical, Data Breach Risk", "description": "The riskID of unauthorizedthe access to or exfiltration of sensitive customer and financial data through external cyberattack or internal compromise, resulting in regulatory sanctions, financial loss, and reputational damage.", "riskCategory": "technology", "orgUnitTitle": "Information Security Department", "orgUnitRoles": ["Chief Information Security Officer", "Security Operations Manager", "Data Protection Officer"], "riskSource": "external", "riskOwner": "Chief Information Security Officer", "riskProbability": { "level": "moderate", "numericValue": 0.35risk element" }, "title": { "type": "string", "description": "Name of the capability" }, "relationshipType": { "type": "string", "description": "Nature of the relationship", "enum": ["risk-to-capability", "capability-to-risk", "mitigating-capability", "risk-generating-capability", "impacted-capability", "interdependent", "other"] }, "rationalerelationshipStrength": "Based{ on threat intelligence showing increased targeting of our industry, balanced against our enhanced security controls","type": "integer", "timeHorizondescription": "12Importance months"of this }, "riskImpact": {relationship (1-5)", "levelminimum": "severe"1, "financialImpactmaximum": "$5-15 million" 5 }, "nonFinancialImpactsriskImpact": [ { "impactTypetype": "reputationalobject", "description": "SevereHow damagerisk to brand trust and customer confidenceimpacts capability", "severityproperties": "high"{ }, "impactDescription": { { "impactTypetype": "regulatorystring", "description": "Description of impact"Substantial fines under data protection regulations"}, "severityimpactSeverity": "high"{ }, "type": "string", { "impactTypedescription": "operationalSeverity of impact", "descriptionenum": ["minimal"Service disruption during incident response", "moderate", "significant", "severe", "critical"] }, "severityimpactScenarios": "medium" { "type": "array", } ], "rationaledescription": "Specific impact scenarios"Based, on analysis of recent industry breaches and our specific data exposure""items": { }, "riskSeverity": { "leveltype": "highstring", "score": 16, "calculationMethod": "5x5 risk matrix combining probability and impact values" }, "riskTolerance": { } } } "toleranceLevel": "low" }, "thresholdscapabilityControls": [{ { "type": "array", "metricNamedescription": "SecurityControls within incidentscapability involvingaddressing PIIrisk", "thresholdValueitems": "0",{ "responseRequiredtype": "Immediate executive notification and investigation" object", }, "properties": { { "metricNamecontrolDescription": { "Failed security tests", "thresholdValuetype": ">5%string", "responseRequireddescription": "Description of control"Security remediation within 48 hours" }, ], "rationalecontrolEffectiveness": { "Given regulatory requirements and potential reputational impact" }, "riskStatustype": "mitigatedstring", "mitigationStrategy": { "approachTypedescription": "reduceHow well control works", "description": "Comprehensive cybersecurity program including advanced threat protection, security monitoring, encryption, access controls, and security awareness training", "enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"] "expectedOutcome": "Reduce likelihood of}, successful breach while maintaining detection capabilities", "implementationStatus": { "implemented" }, "residualRisk": { "leveltype": "moderatestring", "acceptableLevel": true, "description": "RemainingStatus riskof primarilyimplementation", related to zero-day vulnerabilities and sophisticated threat actors", "additionalControlsenum": ["not-implemented", "planning", "in-progress", "implemented", "verified"] "Investigating additional} advanced endpoint protection", } "Enhancing threat hunting capabilities" } ] }, "controlEffectivenesscapabilityGaps": { "leveltype": "effectivearray", "lastAssessmentdescription": "2025-03-15Capability gaps increasing risk", "improvementNeedsitems": [{ "Strengthen third-party security assessment process "type": "object", "Enhance cloud security monitoring""properties": { ] }, "reviewFrequencygapDescription": "quarterly", { "lastReviewDate": "2025-04-01", "nextReviewDatetype": "2025-07-01string", "regulatoryImplications": [ { "regulationTypedescription": "DataDescription of Protectiongap", "regulationName": "GDPR", }, "implications": "Breach notification requirements and potential fines up to 4% of global revenue","riskContribution": { "complianceStatustype": "compliantstring", }, { "description": "How gap contributes to risk"regulationType": "Financial", "regulationName": "PCI-DSS", }, "implicationsremediation": { "Requirements for securing payment card data", "complianceStatustype": "compliantstring", } ], "strategicImplicationsdescription": "Plan to {address gap" "overallImpact": "mixed", "affectedObjectives": [} { } "objectiveID": "STRAT-DIGITAL-003",} }, "impactDescriptionperformanceMetrics": { "Risk considerations require adjustment to cloud migration timeline"type": "array", "impactSeveritydescription": "moderate"Metrics for measuring risk impact on capability", }, "items": { "objectiveIDtype": "STRAT-CUSTOMER-002object", "impactDescriptionproperties": { "Enhanced security measures could create friction in customer experience","metricName": { "impactSeveritytype": "minor"string", } "description": "Name of metric" ] }, "emergingFactors": [ }, { "factorNamemetricDescription": "AI-Enhanced Cyber Threats", { "descriptiontype": "Increasing sophistication of attacks using AI to evade detection","string", "potentialImpactdescription": "CouldWhat increasemetric probabilitymeasures" of successful breach", "timeHorizon": "medium-term", }, "monitoringApproachcurrentValue": { "Threat intelligence subscription and quarterly assessment" },"type": "string", { "factorNamedescription": "Extended Supply Chain Exposure",Current measurement" "description": "Increasing integration with third-party}, systems expanding attack surface", "potentialImpacttargetValue": { "New vectors for data compromise", "timeHorizontype": "immediatestring", "monitoringApproachdescription": "Target "Third-party security assessment program"value" } ], "relatedRisks": [ } { } "riskID": "RISK-TECH-005", }, "relationshipTypeimprovementInitiatives": "contributor",{ "relationshipStrengthtype": 4"array", "description": "LegacyInitiatives Systemto Maintenanceimprove Riskcapability contributesfor torisk cybersecurity vulnerabilitiesmanagement", }, "items": { { "riskIDtype": "RISK-COMP-002object", "relationshipTypeproperties": "consequence", { "relationshipStrengthinitiativeDescription": 5, { "descriptiontype": "string"Data, breach would trigger Regulatory Compliance Risk" } ], "keyRiskIndicators": ["description": "Description of initiative" { }, "indicatorName": "Security Incidents", "descriptionexpectedOutcome": "Number{ of security incidents detected per month", "currentValuetype": "12string", "threshold": "25", "trenddescription": "stable", Anticipated result" "monitoringFrequency": "daily" }, { "indicatorNamestatus": { "Vulnerability Remediation Time", "descriptiontype": "string"Average, time to remediate critical vulnerabilities", "currentValuedescription": "1.8Current daysstatus", "threshold": "3 days", "trendenum": ["improvingproposed", "approved", "monitoringFrequencyin-progress":, "weekly" }completed", "canceled"] { "indicatorName": "Phishing Simulation Success Rate",} } "description": "Percentage of employees clicking on} simulated phishing emails", }, "currentValuedependencyRisks": "4.2%",{ "thresholdtype": "5%array", "trenddescription": "stableRisks arising from capability dependencies", "monitoringFrequencyitems": "monthly"{ } ], "type": "dependenciesobject":, [ { "properties": { "dependencyType": "Critical", "domainTypedependencyType": "Capability", { "entityID": "CAP-SECOPS-001", "descriptiontype": "Security Operations capability" },string", { "dependencyTypedescription": "Important", Type of dependency" "domainType": "Information", }, "entityID": "INFO-DATA-003", "descriptiondependentEntity": "Customer{ Data Security Classification Framework" } ], "type": "documentationReferencesstring":, [ { "documentNamedescription": "InformationWhat capability Securitydepends Policyon", "documentLocation": "Policy repository (IS-POL-001)", }, "documentTyperiskScenario": "policy", { "documentDatetype": "2024-12-15" },string", { "documentNamedescription": "AnnualRisk scenario Cybersecuritycreated Riskby Assessmentdependency", "documentLocation": "Risk repository (RISK-RPT-2025-01)", } "documentType": "assessment", } "documentDate": "2025-02-28" } } ]} } |
Risk Management Domain Schema Properties
...
Property | Description | Example |
|---|---|---|
monitoringID | Unique identifier for the risk monitoring activity | "MON-CYBER-002" |
monitoringTitle | Name of the specific risk monitoring activity | "Cybersecurity Risk Monitoring Program" |
description | Detailed explanation of the risk monitoring activity | "Continuous monitoring of key risk indicators and control effectiveness" |
orgUnitTitle | Organization unit responsible for this monitoring | "Security Operations Center" |
monitoredRisks | Risks being monitored | [{"riskID": "RISK-CYBER-001", "monitoringPriority": "high"}] |
keyRiskIndicators | Indicators being tracked | [{"indicatorName": "Security Incidents", "currentValue": "12"}] |
monitoringFrequency | Frequency of monitoring activities | {"reviewCycle": "continuous", "justification": "Critical risk requiring real-time visibility"} |
monitoringMethods | Approaches used for monitoring | [{"methodName": "SIEM Analytics", "automationLevel": "fully-automated"}] |
earlyWarningSystem | System for early detection of risk changes | {"alertMechanisms": ["Automated alerts", "Dashboard indicators"]} |
monitoringResponsibilities | People responsible for monitoring | [{"role": "SOC Analyst", "responsibilities": ["Monitor alerts", "Initial triage"]}] |
reportingStructure | How monitoring results are reported | {"reportTypes": [{"reportName": "Weekly Security Status", "reportFrequency": "weekly"}]} |
technologySystems | Systems supporting monitoring | [{"systemName": "Security Information & Event Management", "systemFunction": "Log analysis"}] |
dataManagement | How monitoring data is managed | {"dataSources": ["Firewall logs", "IDS alerts", "Authentication logs"]} |
historicalPerformance | History of monitoring effectiveness | {"successRate": "93% of incidents detected by monitoring systems"} |
Schema Evolution Guidance
The Risk Management Domain schema is expected to evolve with emerging practices in risk management. Future extensions may include:
Enhanced predictive risk analytics
AI-assisted risk identification and assessment
Dynamic risk modeling capabilities
Operational resilience frameworks
Cyber and digital risk extensions
Integrated governance, risk, and compliance models
Organizations should plan for these evolutions by maintaining clean taxonomies and clear relationship models in their current implementation.