| Table of Contents | ||
|---|---|---|
|
...
Overview
What is the Risk Management Domain?
...
Key risk indicators
Monitoring frequency and methods
Threshold definitions and alerts
Trend analysis approaches
Escalation pathways
Reporting structures
Implementation Guidelines
Getting Started
Begin by identifying and documenting key risk categories
Select a high-priority risk and create a detailed risk profile
Document the assessment methodology used to evaluate risks
Map major control mechanisms and their effectiveness
Define response strategies for priority risks
Best Practices
Ensure risk profiles have clear ownership and accountability
Base risk assessments on consistent and objective criteria
Update risk evaluations regularly as internal and external factors change
Connect risk elements to strategic decisions and operational capabilities
Involve multiple perspectives in risk analysis to avoid bias
Maintain a balance between risk control costs and potential impact
Common Pitfalls to Avoid
Creating overly complex risk categorization that dilutes management focus
Basing risk assessments on assumptions rather than evidence
Failing to connect risk analysis to strategic and operational domains
Not updating risk profiles as business context evolves
Focusing exclusively on risk avoidance while missing positive risk (opportunity)
Overlooking risk interdependencies and cascading effects
Schema Evolution Guidance
The Risk Management Domain schema is expected to evolve with emerging practices in risk management. Future extensions may include:
Enhanced predictive risk analytics
AI-assisted risk identification and assessment
Dynamic risk modeling capabilities
Operational resilience frameworks
Cyber and digital risk extensions
Integrated governance, risk, and compliance models
Organizations should plan for these evolutions by maintaining clean taxonomies and clear relationship models in their current implementation.
Conclusion
The Risk Management Domain extends the Orthogramic Metamodel with a robust framework for modeling and managing risk-related aspects of business architecture. By providing structured schemas for risk profiles, assessments, controls, responses, and monitoring approaches, it enables organizations to systematically align their capabilities, value streams, and strategies with risk management objectives.
The integration with the Strategic Response Model ensures that risk insights drive strategic decision-making and organizational change. This domain complements other domains by focusing on the uncertainty dimensions that affect organizational activities, providing critical context for strategic planning and operational execution.
Organizations can use this domain to develop a more comprehensive understanding of their risk landscape, implement effective controls, and ensure that strategic initiatives properly account for risk factors in design and execution.
Risk Management Domain Schema
Cross-Domain Relationship Mappings
Risk-Strategy Relationship Schema
| Code Block |
|---|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Strategy Relationship Schema",
"description": "Schema for relationships between Risk Management domain and Strategy domain",
"type": "object",
"required": ["relationshipID", "riskID", "title", "relationshipType"],
"properties": {
"relationshipID": {
"type": "string",
"description": "Unique identifier for this relationship"
},
"riskID": {
"type": "string",
"description": "ID of the risk element"
},
"title": {
"type": "string",
"description": "Name of the strategy"
},
"relationshipType": {
"type": "string",
"description": "Nature of the risk influence on strategy",
"enum": ["strategic-threat", "strategic-opportunity", "execution-risk", "enabler", "constraint", "context-factor", "success-factor", "other"]
},
"relationshipStrength": {
"type": "integer",
"description": "Strength of influence (1-5)",
"minimum": 1,
"maximum": 5
},
"riskFactors": {
"type": "array",
"description": "Risk factors influencing this strategy",
"items": {
"type": "string"
}
},
"strategicImpact": {
"type": "object",
"description": "How risk impacts strategic elements",
"properties": {
"impactDescription": {
"type": "string",
"description": "Description of impact"
},
"impactSeverity": {
"type": "string",
"description": "Severity of impact",
"enum": ["minimal", "moderate", "significant", "severe", "critical"]
},
"potentialOutcomes": {
"type": "array",
"description": "Possible strategic outcomes",
"items": {
"type": "string"
}
}
}
},
"strategicObjectives": {
"type": "array",
"description": "Strategic objectives affected by risk",
"items": {
"type": "object",
"properties": {
"objectiveID": {
"type": "string",
"description": "ID of strategic objective"
},
"riskImpact": {
"type": "string",
"description": "How risk impacts this objective"
},
"importanceLevel": {
"type": "string",
"description": "Importance to objective",
"enum": ["minor", "moderate", "significant", "critical"]
}
}
}
},
"riskAdjustments": {
"type": "array",
"description": "Strategic adjustments made for risk",
"items": {
"type": "object",
"properties": {
"adjustmentDescription": {
"type": "string",
"description": "Description of adjustment"
},
"adjustmentType": {
"type": "string",
"description": "Type of adjustment",
"enum": ["scope-change", "timeline-adjustment", "resource-increase", "goal-modification", "approach-change", "other"]
},
"effectiveness": {
"type": "string",
"description": "Effectiveness of adjustment",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
}
}
}
},
"riskAppetite": {
"type": "object",
"description": "Strategic risk appetite",
"properties": {
"appetiteLevel": {
"type": "string",
"description": "Level of risk appetite",
"enum": ["averse", "minimalist", "cautious", "open", "seeking"]
},
"appetiteJustification": {
"type": "string",
"description": "Reason for this appetite level"
},
"variationByObjective": {
"type": "array",
"description": "How appetite varies by objective",
"items": {
"type": "object",
"properties": {
"objectiveID": {
"type": "string",
"description": "ID of objective"
},
"specificAppetite": {
"type": "string",
"description": "Specific appetite for this objective",
"enum": ["averse", "minimalist", "cautious", "open", "seeking"]
}
}
}
}
}
},
"strategicMonitoring": {
"type": "object",
"description": "How risk is monitored in strategy",
"properties": {
"monitoringApproach": {
"type": "string",
"description": "How risk is tracked strategically"
},
"keyIndicators": {
"type": "array",
"description": "Strategic indicators being tracked",
"items": {
"type": "string"
}
},
"reviewFrequency": {
"type": "string",
"description": "How often strategic risk is reviewed",
"enum": ["monthly", "quarterly", "semi-annually", "annually", "event-driven"]
}
}
},
"contingencyPlans": {
"type": "array",
"description": "Strategic contingencies for risk events",
"items": {
"type": "object",
"properties": {
"scenarioDescription": {
"type": "string",
"description": "Risk scenario"
},
"contingencyApproach": {
"type": "string",
"description": "Planned response"
},
"triggerConditions": {
"type": "string",
"description": "What activates contingency"
}
}
}
}
}
}
|
Risk-Capability Relationship Schema
| Code Block |
|---|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Capability Relationship Schema",
"description": "Schema for relationships between Risk Management domain and Capability domain",
"type": "object",
"required": ["relationshipID", "riskID", "title", "relationshipType"],
"properties": {
"relationshipID": {
"type": "string",
"description": "Unique identifier for this relationship"
},
"riskID": {
"type": "string",
"description": "ID of the risk element"
},
"title": {
"type": "string",
"description": "Name of the capability"
},
"relationshipType": {
"type": "string",
"description": "Nature of the relationship",
"enum": ["risk-to-capability", "capability-to-risk", "mitigating-capability", "risk-generating-capability", "impacted-capability", "interdependent", "other"]
},
"relationshipStrength": {
"type": "integer",
"description": "Importance of this relationship (1-5)",
"minimum": 1,
"maximum": 5
},
"riskImpact": {
"type": "object",
"description": "How risk impacts capability",
"properties": {
"impactDescription": {
"type": "string",
"description": "Description of impact"
},
"impactSeverity": {
"type": "string",
"description": "Severity of impact",
"enum": ["minimal", "moderate", "significant", "severe", "critical"]
},
"impactScenarios": {
"type": "array",
"description": "Specific impact scenarios",
"items": {
"type": "string"
}
}
}
},
"capabilityControls": {
"type": "array",
"description": "Controls within capability addressing risk",
"items": {
"type": "object",
"properties": {
"controlDescription": {
"type": "string",
"description": "Description of control"
},
"controlEffectiveness": {
"type": "string",
"description": "How well control works",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
},
"implementationStatus": {
"type": "string",
"description": "Status of implementation",
"enum": ["not-implemented", "planning", "in-progress", "implemented", "verified"]
}
}
}
},
"capabilityGaps": {
"type": "array",
"description": "Capability gaps increasing risk",
"items": {
"type": "object",
"properties": {
"gapDescription": {
"type": "string",
"description": "Description of gap"
},
"riskContribution": {
"type": "string",
"description": "How gap contributes to risk"
},
"remediation": {
"type": "string",
"description": "Plan to address gap"
}
}
}
},
"performanceMetrics": {
"type": "array",
"description": "Metrics for measuring risk impact on capability",
"items": {
"type": "object",
"properties": {
"metricName": {
"type": "string",
"description": "Name of metric"
},
"metricDescription": {
"type": "string",
"description": "What metric measures"
},
"currentValue": {
"type": "string",
"description": "Current measurement"
},
"targetValue": {
"type": "string",
"description": "Target value"
}
}
}
},
"improvementInitiatives": {
"type": "array",
"description": "Initiatives to improve capability for risk management",
"items": {
"type": "object",
"properties": {
"initiativeDescription": {
"type": "string",
"description": "Description of initiative"
},
"expectedOutcome": {
"type": "string",
"description": "Anticipated result"
},
"status": {
"type": "string",
"description": "Current status",
"enum": ["proposed", "approved", "in-progress", "completed", "canceled"]
}
}
}
},
"dependencyRisks": {
"type": "array",
"description": "Risks arising from capability dependencies",
"items": {
"type": "object",
"properties": {
"dependencyType": {
"type": "string",
"description": "Type of dependency"
},
"dependentEntity": {
"type": "string",
"description": "What capability depends on"
},
"riskScenario": {
"type": "string",
"description": "Risk scenario created by dependency"
}
}
}
}
}
}
|
Strategic Response Model Integration
Risk-Related Rationales Schema
...
Conclusion
The Risk Management Domain extends the Orthogramic Metamodel with a robust framework for modeling and managing risk-related aspects of business architecture. By providing structured schemas for risk profiles, assessments, controls, responses, and monitoring approaches, it enables organizations to systematically align their capabilities, value streams, and strategies with risk management objectives.
The integration with the Strategic Response Model ensures that risk insights drive strategic decision-making and organizational change. This domain complements other domains by focusing on the uncertainty dimensions that affect organizational activities, providing critical context for strategic planning and operational execution.
Organizations can use this domain to develop a more comprehensive understanding of their risk landscape, implement effective controls, and ensure that strategic initiatives properly account for risk factors in design and execution.
Example Implementation
Example: Cybersecurity Risk Profile Analysis
| Code Block |
|---|
{ "riskID": "RISK-CYBER-001", "title": "Critical Data Breach Risk", "description": "The risk of unauthorized access to or exfiltration of sensitive customer and financial data through external cyberattack or internal compromise, resulting in regulatory sanctions, financial loss, and reputational damage.", "riskCategory": "technology", "orgUnitTitle": "Information Security Department", "orgUnitRoles": ["Chief Information Security Officer", "Security Operations Manager", "Data Protection Officer"], "riskSource": "external", "riskOwner": "Chief Information Security Officer", "riskProbability": { "level": "moderate", "numericValue": 0.35, "rationale": "Based on threat intelligence showing increased targeting of our industry, balanced against our enhanced security controls", "timeHorizon": "12 months" }, "riskImpact": { "rationaleIDlevel": { "severe", "typefinancialImpact": "string$5-15 million", "descriptionnonFinancialImpacts": "Unique identifier for the rationale" [ { "impactType": "reputational", }, "rationaleTitledescription": {"Severe damage to brand trust and customer confidence"type": "string",, "descriptionseverity": "high"Title or summary of the rationale" }, }, { "description": { "typeimpactType": "stringregulatory", "description": "DetailedSubstantial explanationfines supportingunder adata strategicprotection response" }regulations", "triggerReference": { "typeseverity": "stringhigh", "description": "Primary trigger this rationale responds to" }, { }, "triggerReferencesimpactType": {"operational", "typedescription": "arrayService disruption during incident response", "descriptionseverity": "Optional multiple triggers this rationale addresses",medium" "items":} { ], "typerationale": "string" } Based on analysis of recent industry breaches and our specific data exposure" }, "riskIDsriskSeverity": { "typelevel": "arrayhigh", "score": 16, "descriptioncalculationMethod": "Risks this rationale relates to",5x5 risk matrix combining probability and impact values" }, "itemsriskTolerance": { "toleranceLevel": "low", "typethresholds": "string"[ }{ }, "metricName": "linkedDomains": {Security incidents involving PII", "typethresholdValue": "array0", "descriptionresponseRequired": "Business architecture domains influenced or justified by this rationale", Immediate executive notification and investigation" }, "items": { "typemetricName": "stringFailed security tests", "enumthresholdValue": ["Risk", "Strategy">5%", "Capability", "Product", "Service", "Value_Stream", "Performance", "Information", "Organization", "Initiative", "Customer", "MarketresponseRequired",: "Finance"]Security remediation within 48 } }, "rationaleType": {hours" } "type": "string", ], "descriptionrationale": "TheGiven regulatory justificationrequirements typeand forpotential thisreputational rationaleimpact", }, "enumriskStatus": ["Risk_Preventionmitigated", "Risk_Mitigation", "Risk_Transfer", "Risk_Acceptance", "Control_Enhancement", "Response_Planning", "Opportunity_Exploitation", "Compliance_Management"] }, "rationaleOrientation": { "type": "string", mitigationStrategy": { "approachType": "reduce", "description": "Comprehensive cybersecurity program including advanced threat protection, security monitoring, encryption, access controls, and security awareness training", "descriptionexpectedOutcome": "WhetherReduce thelikelihood rationaleof issuccessful respondingbreach towhile existingmaintaining conditions or anticipating future conditionsdetection capabilities", "enumimplementationStatus": ["Reactive", "Proactive"] "implemented" }, "riskInsightSourceresidualRisk": { "typelevel": "stringmoderate", "descriptionacceptableLevel": "Source of risk insights supporting this rationale", true, "enumdescription": ["Risk_Assessment", "Incident_Analysis", "Control_Monitoring", "Audit_Finding", "Industry_Intelligence", "Scenario_Analysis", "Expert_Judgment"] }Remaining risk primarily related to zero-day vulnerabilities and sophisticated threat actors", "anticipatedOutcomesadditionalControls": {[ "type": "arrayInvestigating additional advanced endpoint protection", "description": "For proactive rationales, the expected benefits or outcomes", Enhancing threat hunting capabilities" ] }, "itemscontrolEffectiveness": { "typelevel": "stringeffective", } }"lastAssessment": "2025-03-15", "alternativesConsideredimprovementNeeds": {[ "type": "array", "description": "Other risk approaches that were evaluated but not selected", Strengthen third-party security assessment process", "Enhance cloud security monitoring" "items":] { }, "reviewFrequency": "quarterly", "typelastReviewDate": "object2025-04-01", "nextReviewDate": "2025-07-01", "propertiesregulatoryImplications": [ { { "alternativeIDregulationType": {"Data Protection", "typeregulationName": "stringGDPR", "implications": "Breach notification requirements and potential fines up "description": "Identifier for the alternative"to 4% of global revenue", "complianceStatus": "compliant" }, { "alternativeDescriptionregulationType": {"Financial", "regulationName": "PCI-DSS", "typeimplications": "string",Requirements for securing payment card data", "descriptioncomplianceStatus": "compliant"Description of the alternative approach" } ], "strategicImplications": { }, "overallImpact": "mixed", "affectedObjectives": [ "riskImplications": { { "typeobjectiveID": "stringSTRAT-DIGITAL-003", "descriptionimpactDescription": "Risk implicationsconsiderations ofrequire thisadjustment alternative"to cloud migration timeline", }, "impactSeverity": "moderate" }, "reasonForRejection": { { "typeobjectiveID": "stringSTRAT-CUSTOMER-002", "descriptionimpactDescription": "Why this approach wasn't selected" Enhanced security measures could create friction in customer experience", } "impactSeverity": "minor" } } } ] }, "reasoningPatternemergingFactors": [ { "typefactorName": "stringAI-Enhanced Cyber Threats", "description": "TheIncreasing logicalsophistication structure of theattacks rationale",using AI to evade detection", "enum": ["Risk_Based", "Control_Effectiveness", "Cost_Benefit", "Compliance_Based", "Threat_AssessmentpotentialImpact",: "Vulnerability_Based", "Impact_Analysis"] }, "evidenceBase": {Could increase probability of successful breach", "typetimeHorizon": "stringmedium-term", "descriptionmonitoringApproach": "TheThreat intelligence foundationsubscription forand thequarterly rationale"assessment" }, { "enum": ["Risk_Data", "Control_Testing", "Incident_History", "External_Intelligence", "Compliance_Requirements", "Expert_OpinionfactorName",: "Quantitative_Analysis"]Extended Supply Chain Exposure", }, "businessValueTypedescription": {"Increasing integration with third-party systems expanding "type": "stringattack surface", "descriptionpotentialImpact": "TheNew naturevectors offor value creation or preservationdata compromise", "enumtimeHorizon": ["Loss_Preventionimmediate", "Damage_Limitation", "Reputation_Protection", "Compliance_Assurance", "Operational_Resilience", "Strategic_Protection", "Opportunity_Enabling"] "monitoringApproach": "Third-party security assessment program" }, ], "riskImpactAssessmentrelatedRisks": [ { "typeriskID": "objectRISK-TECH-005", "descriptionrelationshipType": "Assessment of risk implicationscontributor", "propertiesrelationshipStrength": { 4, "impactTypedescription": {"Legacy System Maintenance Risk contributes to cybersecurity vulnerabilities" "type": "string", }, { "descriptionriskID": "Type of risk impact", RISK-COMP-002", "enumrelationshipType": ["financialconsequence", "operationalrelationshipStrength": 5, "strategic", "reputational", "compliancedescription",: "multiple"]Data breach would trigger Regulatory Compliance Risk" }, } ], "impactSeveritykeyRiskIndicators": {[ { "typeindicatorName": "stringSecurity Incidents", "description": "SeverityNumber of security impactincidents ifdetected notper addressedmonth", "enumcurrentValue": ["minimal", "moderate", "significant", "severe", "critical"] }, "12", "impactLikelihoodthreshold": { "25", "typetrend": "stringstable", "descriptionmonitoringFrequency": "Likelihooddaily" of impact if not addressed"}, { "enumindicatorName": ["very-low", "low", "moderateVulnerability Remediation Time", "high", "very-high"] "description": "Average time to },remediate critical vulnerabilities", "confidenceLevelcurrentValue": { "1.8 days", "typethreshold": "integer3 days", "trend": "improving", "descriptionmonitoringFrequency": "weekly"Confidence in assessment (1-5)", }, { "minimumindicatorName": 1,"Phishing Simulation Success Rate", "maximumdescription": 5"Percentage of employees clicking on simulated phishing emails", } } },"currentValue": "4.2%", "dateCreatedthreshold": {"5%", "typetrend": "stringstable", "formatmonitoringFrequency": "date", monthly" } ], "descriptiondependencies": [ "The date the rationale{ was first recorded" },"dependencyType": "Critical", "lastRevieweddomainType": {"Capability", "typeentityID": "stringCAP-SECOPS-001", "formatdescription": "date", Security Operations capability" }, { "description": "The most recent date of rationale review" "dependencyType": "Important", }, "effectivenessRatingdomainType": {"Information", "typeentityID": "integerINFO-DATA-003", "description": "Optional evaluation of rationale effectiveness (1-5)", Customer Data Security Classification Framework" } ], "minimumdocumentationReferences": 1, [ { "maximumdocumentName": 5"Information Security Policy", }, "authordocumentLocation": { "Policy repository (IS-POL-001)", "typedocumentType": "stringpolicy", "descriptiondocumentDate": "2024-12-15"The person or team who documented}, the rationale" { }, "orgUnitTitledocumentName": { "Annual Cybersecurity Risk Assessment", "typedocumentLocation": "stringRisk repository (RISK-RPT-2025-01)", "descriptiondocumentType": "assessment"The, organisational unit that owns or authored the rationale"documentDate": "2025-02-28" }, ] } |
Risk Management Domain Schema
Cross-Domain Relationship Mappings
| Info |
|---|
Add to JSON Schema Convert these Cross domain JSON schema snippets to tables |
Risk-Strategy Relationship Schema
| Code Block |
|---|
{ "relatedRationales$schema": { "http://json-schema.org/draft-07/schema#", "typetitle": "arrayRisk-Strategy Relationship Schema", "description": "ReferencesSchema for torelationships otherbetween relatedRisk rationales",Management domain and Strategy domain", "itemstype": { "object", "typerequired": ["stringrelationshipID", "riskID", "title", "relationshipType"], "properties": }{ }"relationshipID": { } } |
Risk-Related Strategic Responses Schema
| Code Block |
|---|
{ "$schematype": "http://json-schema.org/draft-07/schema#string", "title": "Risk-Related Strategic Responses Schema", "description": "SchemaUnique identifier for risk-related strategic responses in the Strategic Response Model", this relationship" }, "riskID": { "type": "objectstring", "requireddescription": ["responseID", "responseTitle", "responseDescription", "triggerReferences", "rationaleReferences"], "properties": {"ID of the risk element" }, "responseIDtitle": { "type": "string", "description": "AName uniqueof identifier for the strategic responsestrategy" }, "responseTitlerelationshipType": { "type": "string "string", "description": "Nature of the risk influence on strategy", "descriptionenum": ["strategic-threat", "A concise title summarizing the strategic response"strategic-opportunity", "execution-risk", "enabler", "constraint", "context-factor", "success-factor", "other"] }, "responseTyperelationshipStrength": { "type": "stringinteger", "description": "The classificationStrength of the responseinfluence (1-5)", "enumminimum": ["Risk_Prevention"1, "Risk_Mitigation", "Risk_Transfer", "Risk_Acceptance", "Control_Enhancement", "Incident_Response", "Business_Continuity", "Compliance_Program", "Risk_Governance"]maximum": 5 }, "responseDescriptionriskFactors": { "type": "stringarray", "description": "Risk factors "A detailed explanation of the strategic response, its objectives, and scope"influencing this strategy", "items": { "type": "string" } }, "riskIDsstrategicImpact": { "type": "arrayobject", "description": "RiskHow elementsrisk thisimpacts responsestrategic addresseselements", "itemsproperties": { "typeimpactDescription": "string"{ } }, "type": "string", "triggerReferences": { "typedescription": "array",Description of impact" "description": "An array of triggerIDs that initiated this strategic response", }, "itemsimpactSeverity": { "type": "string", } }, "description": "Severity of impact", "rationaleReferences": { "typeenum": ["arrayminimal", "moderate", "description": "An array of rationaleIDs providing justification for this response","significant", "severe", "critical"] }, "itemspotentialOutcomes": { "type": "stringarray" , } }, "performanceIndicatorReferencesdescription": {"Possible strategic outcomes", "type": "array", "descriptionitems": { "Metrics or KPIs that will be used to measure the success of the strategic response","type": "string" "items": { } "type": "string" } } }, "riskOutcomesstrategicObjectives": { "type": "array", "description": "SpecificStrategic riskobjectives managementaffected outcomes resulting from this responseby risk", "items": { "type": "object", "properties": { "outcomeDescriptionobjectiveID": { "type": "string", "description": "DescriptionID of riskstrategic outcomeobjective" }, "targetRiskLevelriskImpact": { "type": "string", "description": "DesiredHow risk levelimpacts afterthis responseobjective", "enum": ["very-low"}, "low", "moderate", "high", "very-high"] "importanceLevel": { }, "measurementApproachtype": {"string", "typedescription": "stringImportance to objective", "enum": ["minor", "descriptionmoderate":, "significant"How outcome will be measured", "critical"] } } } }, "implementedControlsriskAdjustments": { "type": "array", "description": "RiskStrategic controlsadjustments implementedmade byfor this responserisk", "items": { "type": "object", "properties": { "controlNameadjustmentDescription": { "type": "string", "description": "NameDescription of controladjustment" }, "controlDescriptionadjustmentType": { "type": "string", "description": "Description of control"Type of adjustment", "enum": ["scope-change", "timeline-adjustment", "resource-increase", "goal-modification", "approach-change", "other"] }, "controlTypeeffectiveness": { "type": "string", "description": "TypeEffectiveness of controladjustment", "enum": ["preventiveineffective", "detectivepartially-effective", "correctiveeffective", "directivehighly-effective", "other"not-assessed"] }, } "implementationStatus": { } }, "typeriskAppetite": "string",{ "type": "object", "description": "StatusStrategic ofrisk implementationappetite", "properties": { "enum": ["planned", "in-progress", "implementedappetiteLevel", "effective", "ineffective"]: { }"type": "string", } "description": "Level of risk appetite", } }, "affectedDomainsenum": { "type": "array", "description": "A list of business architecture domains impacted by this response"["averse", "minimalist", "cautious", "open", "seeking"] }, "itemsappetiteJustification": { "type": "string", "enum": ["Risk", "Strategy", "Capabilitydescription",: "Product", "Service", "Value_Stream", "Performance", "Information", "Organization", "Initiative", "Customer", "Market", "Finance"]Reason for this appetite level" }, }, "implementationPlanvariationByObjective": { "type": "objectarray", "description": "Plan outlining how the response will be executed", "properties": {How appetite varies by objective", "phaseApproachitems": { "type": "stringobject", "descriptionproperties": { "Phasing of implementation" }, "objectiveID": { "keyActivities": { "type": "arraystring", "description": "MajorID implementationof activitiesobjective", "items": { }, "type": "string" "specificAppetite": { } }, "type": "string", "resources": { "typedescription": "stringSpecific appetite for this objective", "descriptionenum": ["averse"Resources required for implementation" , "minimalist", "cautious", "open", "seeking"] }, } "governanceStructure": { "type": "string",} "description": "Governance over implementation"} } } }, "riskMonitoringstrategicMonitoring": { "type": "arrayobject", "description": "OngoingHow risk monitoringis approaches",monitored "items": { "type": "object", in strategy", "properties": { "monitoringMethodmonitoringApproach": { "type": "string", "description": "MethodHow forrisk monitoring"is tracked strategically" }, "keyIndicators": { "type": "array", "description": "IndicatorsStrategic indicators being monitoredtracked", "items": { "type": "string" } }, "frequencyreviewFrequency": { "type": "string", "description": "How often strategic risk monitoringis occursreviewed", "enum": ["continuousmonthly", "dailyquarterly", "weekly", "monthly", "quarterlysemi-annually", "annually", "event-driven"] } } } }, "expectedOutcomes": { "type": "string", "description": "A description of the anticipated results or benefits from implementing the response" }, "responsibleOrgUnits"contingencyPlans": { "type": "array", "description": "Organisation unitsStrategic accountablecontingencies for executing the strategic responserisk events", "items": { "type": "stringobject", }"properties": { }, "startDatescenarioDescription": { "type": "string", "format": "date", "description": "TheRisk plannedscenario" start date for implementing the strategic response" }, "endDatecontingencyApproach": { "type": "string", "format": "date", "description": "ThePlanned plannedresponse" completion date for the strategic response" }, "statustriggerConditions": { "type": "string", "description": "The current status of the strategic response", ": "What activates contingency" } "enum": ["Planned", "In_Progress", "Completed", "Deferred", "Cancelled"] } }, "lastUpdated":} { } } |
Risk-Capability Relationship Schema
| Code Block |
|---|
{ "type$schema": "stringhttp://json-schema.org/draft-07/schema#", "title": "Risk-Capability Relationship Schema", "formatdescription": "date", "description": "The date when the strategic response record was last updated" },Schema for relationships between Risk Management domain and Capability domain", "type": "object", "required": ["relationshipID", "riskID", "title", "relationshipType"], "properties": { "residualRiskAssessmentrelationshipID": { "type": "string", "description": "AssessmentUnique ofidentifier riskfor remaining after response implementationthis relationship" }, "strategicThemesriskID": { "type": "arraystring", "description": "AnID array of strategicthe prioritiesrisk thatelement" this initiative supports", }, "itemstitle": { "type": "string" } } } } |
Example Implementation
Example: Cybersecurity Risk Profile Analysis
| Code Block |
|---|
{ "riskIDtype": "RISK-CYBER-001string", "titledescription": "CriticalName Dataof Breachthe Risk",capability" }, "descriptionrelationshipType": "The{ risk of unauthorized access to or exfiltration of sensitive customer and financial data through external cyberattack or internal compromise, resulting in regulatory sanctions, financial loss, and reputational damage.", "riskCategory": "technology", "orgUnitTitle": "Information Security Department", "orgUnitRoles": ["Chief Information Security Officer", "Security Operations Manager", "Data Protection Officer"], "riskSource": "external", "riskOwner": "Chief Information Security Officer", "riskProbability": { "level": "moderate""type": "string", "description": "Nature of the relationship", "enum": ["risk-to-capability", "capability-to-risk", "mitigating-capability", "risk-generating-capability", "impacted-capability", "interdependent", "other"] }, "relationshipStrength": { "type": "integer", "description": "Importance of this relationship (1-5)", "minimum": 1, "maximum": 5 }, "numericValueriskImpact": 0.35, { "rationaletype": "object"Based, on threat intelligence showing increased targeting of our industry, balanced against our enhanced security controls", "description": "How risk impacts capability", "timeHorizonproperties": "12 months"{ }, "riskImpactimpactDescription": { "leveltype": "severestring", "financialImpactdescription": "$5-15 million",Description of impact" "nonFinancialImpacts": [}, "impactSeverity": { "impactTypetype": "reputationalstring", "description": "Severe damage to brand trust and customer confidence",Severity of impact", "enum": ["minimal", "moderate", "significant", "severitysevere":, "highcritical"] },, "impactScenarios": { "impactTypetype": "regulatoryarray", "description": "SubstantialSpecific finesimpact underscenarios", data protection regulations", "severityitems": "high" { }, "type": "string" { } "impactType": "operational", } "description": "Service disruption during incident} response", }, "severitycapabilityControls": "medium"{ } "type": "array", ], "rationaledescription": "BasedControls onwithin analysiscapability ofaddressing recentrisk", industry breaches and our specific data exposure"items": { }, "riskSeverity": { "leveltype": "highobject", "score": 16, "calculationMethodproperties": "5x5{ risk matrix combining probability and impact values" }, "riskTolerancecontrolDescription": { "toleranceLevel": "low", "thresholdstype": [ "string", { "metricNamedescription": "SecurityDescription incidentsof involvingcontrol" PII", "thresholdValue": "0", }, "responseRequiredcontrolEffectiveness": "Immediate{ executive notification and investigation" }, "type": "string", { "metricNamedescription": "FailedHow well securitycontrol testsworks", "thresholdValue": ">5%", "responseRequired": "Security remediation within 48 hours" "enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"] }, ], "rationaleimplementationStatus": { "Given regulatory requirements and potential reputational impact" }, "riskStatustype": "mitigatedstring", "mitigationStrategy": { "approachType": "reduce", "description": "ComprehensiveStatus cybersecurity program including advanced threat protectionof implementation", security monitoring, encryption, access controls, and security awareness training", "expectedOutcomeenum": ["not-implemented"Reduce likelihood of successful breach while maintaining detection capabilities", "implementationStatus":, "planning", "in-progress", "implemented", "verified"] }, "residualRisk": { "level": "moderate",} "acceptableLevel": true, } "description": "Remaining risk primarily related to} zero-day vulnerabilities and sophisticated threat actors"}, "additionalControlscapabilityGaps": [{ "type"Investigating additional advanced endpoint protection: "array", "Enhancing threat hunting capabilities" ]description": "Capability gaps increasing risk", }, "controlEffectivenessitems": { "level": "effective", "lastAssessment": "2025-03-15", "improvementNeeds": [type": "object", "properties"Strengthen third-party security assessment process",: { "gapDescription"Enhance: cloud{ security monitoring" ] }, "reviewFrequencytype": "quarterlystring", "lastReviewDatedescription": "2025-04-01",Description of gap" "nextReviewDate": "2025-07-01", "regulatoryImplications": [ }, { "regulationTyperiskContribution": "Data Protection",{ "regulationNametype": "GDPRstring", "implications": "Breach notification requirements and potential fines up to 4% of global revenue", "description": "How gap contributes to risk" "complianceStatus": "compliant" }, { "regulationTyperemediation": "Financial",{ "regulationName": "PCI-DSS", "implicationstype": "string"Requirements, for securing payment card data", "complianceStatusdescription": "compliant"Plan to address gap" } ], "strategicImplications": { } "overallImpact": "mixed", "affectedObjectives":} [ } { }, "objectiveIDperformanceMetrics": "STRAT-DIGITAL-003", { "impactDescriptiontype": "Risk considerations require adjustment to cloud migration timelinearray", "impactSeveritydescription": "moderate" Metrics for measuring risk impact on }capability", "items": { "objectiveIDtype": "STRAT-CUSTOMER-002object", "impactDescriptionproperties": "Enhanced security measures could create friction in customer experience",{ "impactSeveritymetricName": "minor"{ } ] }, "emergingFactors": ["type": "string", { "factorNamedescription": "AI-EnhancedName Cyberof Threatsmetric", "description": "Increasing sophistication of attacks}, using AI to evade detection", "potentialImpactmetricDescription": { "Could increase probability of successful breach", "timeHorizontype": "medium-termstring", "monitoringApproach": "Threat intelligence subscription and quarterly assessment" "description": "What },metric measures" { "factorName": "Extended Supply Chain Exposure",}, "descriptioncurrentValue": "Increasing{ integration with third-party systems expanding attack surface", "potentialImpacttype": "string"New, vectors for data compromise", "timeHorizondescription": "immediateCurrent measurement", "monitoringApproach": "Third-party security assessment program"}, } ], "relatedRiskstargetValue": { [ { "riskIDtype": "RISK-TECH-005string", "relationshipTypedescription": "contributor",Target value" "relationshipStrength": 4,} "description": "Legacy System Maintenance Risk contributes to cybersecurity vulnerabilities" } } }, "improvementInitiatives": { "riskIDtype": "RISK-COMP-002array", "relationshipTypedescription": "consequenceInitiatives to improve capability for risk management", "relationshipStrengthitems": 5,{ "descriptiontype": "Data breach would trigger Regulatory Compliance Risk"object", "properties": { } ], "keyRiskIndicatorsinitiativeDescription": [{ { "indicatorNametype": "Security Incidentsstring", "description": "NumberDescription of securityinitiative" incidents detected per month", "currentValue": "12", }, "threshold": "25", "trendexpectedOutcome": "stable", { "monitoringFrequencytype": "dailystring" , }, { "indicatorNamedescription": "Anticipated result"Vulnerability Remediation Time", "description": "Average time}, to remediate critical vulnerabilities", "currentValuestatus": "1.8 days",{ "thresholdtype": "3 daysstring", "trend": "improving", "monitoringFrequencydescription": "weeklyCurrent status", }, { "enum": ["proposed", "approved", "in-progress", "indicatorNamecompleted":, "Phishing Simulation Success Rate",canceled"] } "description": "Percentage of employees clicking on simulated} phishing emails", } "currentValue": "4.2%", }, "thresholddependencyRisks": "5%",{ "trendtype": "stablearray", "monitoringFrequencydescription": "monthly"Risks arising from capability dependencies", } ], "dependenciesitems": [ { { "dependencyTypetype": "Criticalobject", "domainTypeproperties": "Capability", { "entityIDdependencyType": "CAP-SECOPS-001",{ "description": "Security Operations capability" "type": "string", }, { "dependencyTypedescription": "ImportantType of dependency", "domainType": "Information", }, "entityID": "INFO-DATA-003", "descriptiondependentEntity": "Customer Data{ Security Classification Framework" } ], "type": "documentationReferencesstring":, [ { "documentNamedescription": "InformationWhat capability Securitydepends Policyon", "documentLocation": "Policy repository (IS-POL-001)", }, "documentTyperiskScenario": "policy", { "documentDatetype": "2024-12-15" },string", { "documentNamedescription": "AnnualRisk scenario Cybersecuritycreated Riskby Assessmentdependency", "documentLocation": "Risk repository (RISK-RPT-2025-01)", } "documentType": "assessment", } "documentDate": "2025-02-28" } } ]} } |
Risk Management Domain Schema Properties
...
Property | Description | Example |
|---|---|---|
monitoringID | Unique identifier for the risk monitoring activity | "MON-CYBER-002" |
monitoringTitle | Name of the specific risk monitoring activity | "Cybersecurity Risk Monitoring Program" |
description | Detailed explanation of the risk monitoring activity | "Continuous monitoring of key risk indicators and control effectiveness" |
orgUnitTitle | Organization unit responsible for this monitoring | "Security Operations Center" |
monitoredRisks | Risks being monitored | [{"riskID": "RISK-CYBER-001", "monitoringPriority": "high"}] |
keyRiskIndicators | Indicators being tracked | [{"indicatorName": "Security Incidents", "currentValue": "12"}] |
monitoringFrequency | Frequency of monitoring activities | {"reviewCycle": "continuous", "justification": "Critical risk requiring real-time visibility"} |
monitoringMethods | Approaches used for monitoring | [{"methodName": "SIEM Analytics", "automationLevel": "fully-automated"}] |
earlyWarningSystem | System for early detection of risk changes | {"alertMechanisms": ["Automated alerts", "Dashboard indicators"]} |
monitoringResponsibilities | People responsible for monitoring | [{"role": "SOC Analyst", "responsibilities": ["Monitor alerts", "Initial triage"]}] |
reportingStructure | How monitoring results are reported | {"reportTypes": [{"reportName": "Weekly Security Status", "reportFrequency": "weekly"}]} |
technologySystems | Systems supporting monitoring | [{"systemName": "Security Information & Event Management", "systemFunction": "Log analysis"}] |
dataManagement | How monitoring data is managed | {"dataSources": ["Firewall logs", "IDS alerts", "Authentication logs"]} |
historicalPerformance | History of monitoring effectiveness | {"successRate": "93% of incidents detected by monitoring systems"} |
Schema Evolution Guidance
The Risk Management Domain schema is expected to evolve with emerging practices in risk management. Future extensions may include:
Enhanced predictive risk analytics
AI-assisted risk identification and assessment
Dynamic risk modeling capabilities
Operational resilience frameworks
Cyber and digital risk extensions
Integrated governance, risk, and compliance models
Organizations should plan for these evolutions by maintaining clean taxonomies and clear relationship models in their current implementation.