...
Key risk indicators
Monitoring frequency and methods
Threshold definitions and alerts
Trend analysis approaches
Escalation pathways
Reporting structures
Implementation Guidelines
Getting Started
Begin by identifying and documenting key risk categories
Select a high-priority risk and create a detailed risk profile
Document the assessment methodology used to evaluate risks
Map major control mechanisms and their effectiveness
Define response strategies for priority risks
Best Practices
Ensure risk profiles have clear ownership and accountability
Base risk assessments on consistent and objective criteria
Update risk evaluations regularly as internal and external factors change
Connect risk elements to strategic decisions and operational capabilities
Involve multiple perspectives in risk analysis to avoid bias
Maintain a balance between risk control costs and potential impact
Common Pitfalls to Avoid
Creating overly complex risk categorization that dilutes management focus
Basing risk assessments on assumptions rather than evidence
Failing to connect risk analysis to strategic and operational domains
Not updating risk profiles as business context evolves
Focusing exclusively on risk avoidance while missing positive risk (opportunity)
Overlooking risk interdependencies and cascading effects
Schema Evolution Guidance
The Risk Management Domain schema is expected to evolve with emerging practices in risk management. Future extensions may include:
Enhanced predictive risk analytics
AI-assisted risk identification and assessment
Dynamic risk modeling capabilities
Operational resilience frameworks
Cyber and digital risk extensions
Integrated governance, risk, and compliance models
Organizations should plan for these evolutions by maintaining clean taxonomies and clear relationship models in their current implementation.
Conclusion
The Risk Management Domain extends the Orthogramic Metamodel with a robust framework for modeling and managing risk-related aspects of business architecture. By providing structured schemas for risk profiles, assessments, controls, responses, and monitoring approaches, it enables organizations to systematically align their capabilities, value streams, and strategies with risk management objectives.
The integration with the Strategic Response Model ensures that risk insights drive strategic decision-making and organizational change. This domain complements other domains by focusing on the uncertainty dimensions that affect organizational activities, providing critical context for strategic planning and operational execution.
Organizations can use this domain to develop a more comprehensive understanding of their risk landscape, implement effective controls, and ensure that strategic initiatives properly account for risk factors in design and execution.
Example Implementation
Example: Cybersecurity Risk Profile Analysis
| Code Block |
|---|
{
"riskID": "RISK-CYBER-001",
"title": "Critical Data Breach Risk",
"description": "The risk of unauthorized access to or exfiltration of sensitive customer and financial data through external cyberattack or internal compromise, resulting in regulatory sanctions, financial loss, and reputational damage.",
"riskCategory": "technology",
"orgUnitTitle": "Information Security Department",
"orgUnitRoles": ["Chief Information Security Officer", "Security Operations Manager", "Data Protection Officer"],
"riskSource": "external",
"riskOwner": "Chief Information Security Officer",
"riskProbability": {
"level": "moderate",
"numericValue": 0.35,
"rationale": "Based on threat intelligence showing increased targeting of our industry, balanced against our enhanced security controls",
"timeHorizon": "12 months"
},
"riskImpact": {
"level": "severe",
"financialImpact": "$5-15 million",
"nonFinancialImpacts": [
{
"impactType": "reputational",
"description": "Severe damage to brand trust and customer confidence",
"severity": "high"
},
{
"impactType": "regulatory",
"description": "Substantial fines under data protection regulations",
"severity": "high"
},
{
"impactType": "operational",
"description": "Service disruption during incident response",
"severity": "medium"
}
],
"rationale": "Based on analysis of recent industry breaches and our specific data exposure"
},
"riskSeverity": {
"level": "high",
"score": 16,
"calculationMethod": "5x5 risk matrix combining probability and impact values"
},
"riskTolerance": {
"toleranceLevel": "low",
"thresholds": [
{
"metricName": "Security incidents involving PII",
"thresholdValue": "0",
"responseRequired": "Immediate executive notification and investigation"
},
{
"metricName": "Failed security tests",
"thresholdValue": ">5%",
"responseRequired": "Security remediation within 48 hours"
}
],
"rationale": "Given regulatory requirements and potential reputational impact"
},
"riskStatus": "mitigated",
"mitigationStrategy": {
"approachType": "reduce",
"description": "Comprehensive cybersecurity program including advanced threat protection, security monitoring, encryption, access controls, and security awareness training",
"expectedOutcome": "Reduce likelihood of successful breach while maintaining detection capabilities",
"implementationStatus": "implemented"
},
"residualRisk": {
"level": "moderate",
"acceptableLevel": true,
"description": "Remaining risk primarily related to zero-day vulnerabilities and sophisticated threat actors",
"additionalControls": [
"Investigating additional advanced endpoint protection",
"Enhancing threat hunting capabilities"
]
},
"controlEffectiveness": {
"level": "effective",
"lastAssessment": "2025-03-15",
"improvementNeeds": [
"Strengthen third-party security assessment process",
"Enhance cloud security monitoring"
]
},
"reviewFrequency": "quarterly",
"lastReviewDate": "2025-04-01",
"nextReviewDate": "2025-07-01",
"regulatoryImplications": [
{
"regulationType": "Data Protection",
"regulationName": "GDPR",
"implications": "Breach notification requirements and potential fines up to 4% of global revenue",
"complianceStatus": "compliant"
},
{
"regulationType": "Financial",
"regulationName": "PCI-DSS",
"implications": "Requirements for securing payment card data",
"complianceStatus": "compliant"
}
],
"strategicImplications": {
"overallImpact": "mixed",
"affectedObjectives": [
{
"objectiveID": "STRAT-DIGITAL-003",
"impactDescription": "Risk considerations require adjustment to cloud migration timeline",
"impactSeverity": "moderate"
},
{
"objectiveID": "STRAT-CUSTOMER-002",
"impactDescription": "Enhanced security measures could create friction in customer experience",
"impactSeverity": "minor"
}
]
},
"emergingFactors": [
{
"factorName": "AI-Enhanced Cyber Threats",
"description": "Increasing sophistication of attacks using AI to evade detection",
"potentialImpact": "Could increase probability of successful breach",
"timeHorizon": "medium-term",
"monitoringApproach": "Threat intelligence subscription and quarterly assessment"
},
{
"factorName": "Extended Supply Chain Exposure",
"description": "Increasing integration with third-party systems expanding attack surface",
"potentialImpact": "New vectors for data compromise",
"timeHorizon": "immediate",
"monitoringApproach": "Third-party security assessment program"
}
],
"relatedRisks": [
{
"riskID": "RISK-TECH-005",
"relationshipType": "contributor",
"relationshipStrength": 4,
"description": "Legacy System Maintenance Risk contributes to cybersecurity vulnerabilities"
},
{
"riskID": "RISK-COMP-002",
"relationshipType": "consequence",
"relationshipStrength": 5,
"description": "Data breach would trigger Regulatory Compliance Risk"
}
],
"keyRiskIndicators": [
{
"indicatorName": "Security Incidents",
"description": "Number of security incidents detected per month",
"currentValue": "12",
"threshold": "25",
"trend": "stable",
"monitoringFrequency": "daily"
},
{
"indicatorName": "Vulnerability Remediation Time",
"description": "Average time to remediate critical vulnerabilities",
"currentValue": "1.8 days",
"threshold": "3 days",
"trend": "improving",
"monitoringFrequency": "weekly"
},
{
"indicatorName": "Phishing Simulation Success Rate",
"description": "Percentage of employees clicking on simulated phishing emails",
"currentValue": "4.2%",
"threshold": "5%",
"trend": "stable",
"monitoringFrequency": "monthly"
}
],
"dependencies": [
{
"dependencyType": "Critical",
"domainType": "Capability",
"entityID": "CAP-SECOPS-001",
"description": "Security Operations capability"
},
{
"dependencyType": "Important",
"domainType": "Information",
"entityID": "INFO-DATA-003",
"description": "Customer Data Security Classification Framework"
}
],
"documentationReferences": [
{
"documentName": "Information Security Policy",
"documentLocation": "Policy repository (IS-POL-001)",
"documentType": "policy",
"documentDate": "2024-12-15"
},
{
"documentName": "Annual Cybersecurity Risk Assessment",
"documentLocation": "Risk repository (RISK-RPT-2025-01)",
"documentType": "assessment",
"documentDate": "2025-02-28"
}
]
}
|
Risk Management Domain Schema
Cross-Domain Relationship Mappings
Risk-Strategy Relationship Schema
...
Conclusion
The Risk Management Domain extends the Orthogramic Metamodel with a robust framework for modeling and managing risk-related aspects of business architecture. By providing structured schemas for risk profiles, assessments, controls, responses, and monitoring approaches, it enables organizations to systematically align their capabilities, value streams, and strategies with risk management objectives.
The integration with the Strategic Response Model ensures that risk insights drive strategic decision-making and organizational change. This domain complements other domains by focusing on the uncertainty dimensions that affect organizational activities, providing critical context for strategic planning and operational execution.
Organizations can use this domain to develop a more comprehensive understanding of their risk landscape, implement effective controls, and ensure that strategic initiatives properly account for risk factors in design and execution.
Example Implementation
Example: Cybersecurity Risk Profile Analysis
| Code Block |
|---|
{ "riskID": "RISK-CYBER-001", "title": "Critical Data Breach Risk", "description": "The risk of unauthorized access to or exfiltration of sensitive customer and financial data through external cyberattack or internal compromise, resulting in regulatory sanctions, financial loss, and reputational damage.", "riskCategory": "technology", "orgUnitTitle": "Information Security Department", "orgUnitRoles": ["Chief Information Security Officer", "Security Operations Manager", "Data Protection Officer"], "riskSource": "external", "riskOwner": "Chief Information Security Officer", "riskProbability": { "level": "moderate", "numericValue": 0.35, "rationale": "Based on threat intelligence showing increased targeting of our industry, balanced against our enhanced security controls", "timeHorizon": "12 months" }, "riskImpact": { "level": "severe", "financialImpact": "$5-15 million", "nonFinancialImpacts": [ { "potentialOutcomesimpactType": {"reputational", "typedescription": "arraySevere damage to brand trust and customer confidence", "description": "Possible strategic outcomes","severity": "high" }, "items": { { "typeimpactType": "stringregulatory", "description": "Substantial }fines under data protection regulations", } "severity": "high" } }, "strategicObjectives": { "typeimpactType": "arrayoperational", "description": "StrategicService objectivesdisruption affectedduring byincident riskresponse", "itemsseverity": {"medium" } "type": "object", ], "propertiesrationale": {"Based on analysis of recent industry breaches and our specific data exposure"objectiveID": { }, "riskSeverity": { "typelevel": "stringhigh", "score": 16, "descriptioncalculationMethod": "ID5x5 ofrisk strategicmatrix objective"combining probability and impact values" }, "riskImpact"riskTolerance": { "toleranceLevel": "low", "typethresholds": "string", [ { "descriptionmetricName": "HowSecurity riskincidents impactsinvolving this objectivePII", }, "thresholdValue": "0", "importanceLevelresponseRequired": {"Immediate executive notification and investigation" }, "type": "string", { "descriptionmetricName": "ImportanceFailed tosecurity objective", tests", "enumthresholdValue": ["minor>5%", "moderate", "significantresponseRequired",: "critical"]Security remediation within 48 hours" } ], } "rationale": "Given regulatory requirements and potential }reputational impact" }, "riskStatus": "mitigated", "riskAdjustmentsmitigationStrategy": { "typeapproachType": "arrayreduce", "description": "Strategic adjustments made for risk", "items": { Comprehensive cybersecurity program including advanced threat protection, security monitoring, encryption, access controls, and security awareness training", "expectedOutcome": "Reduce likelihood of successful breach while maintaining detection capabilities", "typeimplementationStatus": "objectimplemented" }, "residualRisk": { "propertieslevel": {"moderate", "acceptableLevel": true, "adjustmentDescriptiondescription": {"Remaining risk primarily related to zero-day vulnerabilities and sophisticated threat actors", "typeadditionalControls": "string",[ "Investigating additional advanced endpoint protection", "description": "Description of adjustment"Enhancing threat hunting capabilities" ] }, "controlEffectiveness": { "adjustmentTypelevel": {"effective", "lastAssessment": "2025-03-15", "improvementNeeds": [ "type": "string", "Strengthen third-party security assessment process", "description": "Type of adjustment",Enhance cloud security monitoring" ] }, "enumreviewFrequency": ["scope-changequarterly", "timeline-adjustmentlastReviewDate",: "resource2025-04-increase01", "goal-modificationnextReviewDate",: "approach2025-07-change01", "other"]regulatoryImplications": [ { }"regulationType": "Data Protection", "regulationName": "GDPR", "effectivenessimplications": { "Breach notification requirements and potential fines up to 4% of global revenue", "typecomplianceStatus": "string"compliant" }, { "descriptionregulationType": "Effectiveness of adjustmentFinancial", "enum"regulationName": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]"PCI-DSS", "implications": "Requirements for securing }payment card data", } "complianceStatus": "compliant" } }], "riskAppetitestrategicImplications": { "typeoverallImpact": "object", "description": "Strategic risk appetite", "mixed", "propertiesaffectedObjectives": {[ "appetiteLevel": { "typeobjectiveID": "stringSTRAT-DIGITAL-003", "descriptionimpactDescription": "Level of risk appetiteRisk considerations require adjustment to cloud migration timeline", "enumimpactSeverity": ["aversemoderate", "minimalist", "cautious", "open", "seeking"] }, },{ "appetiteJustificationobjectiveID": {"STRAT-CUSTOMER-002", "typeimpactDescription": "string",Enhanced security measures could create friction in customer experience", "description": "Reason for this appetite level "impactSeverity": "minor" } }, ] }, "variationByObjectiveemergingFactors": {[ { "typefactorName": "arrayAI-Enhanced Cyber Threats", "description": "HowIncreasing appetitesophistication variesof byattacks objective",using AI to evade detection", "itemspotentialImpact": {"Could increase probability of successful breach", "typetimeHorizon": "objectmedium-term", "monitoringApproach": "Threat intelligence subscription and quarterly assessment"properties": { }, { "objectiveIDfactorName": {"Extended Supply Chain Exposure", "type"description": "string",Increasing integration with third-party systems expanding attack surface", "descriptionpotentialImpact": "ID of objective"New vectors for data compromise", "timeHorizon": "immediate", }, "monitoringApproach": "Third-party security assessment program" } ], "specificAppetiterelatedRisks": {[ { "typeriskID": "stringRISK-TECH-005", "descriptionrelationshipType": "Specific appetite for this objectivecontributor", "relationshipStrength": 4, "enumdescription": ["averse", "minimalist", "cautious", "open", "seeking"] "Legacy System Maintenance Risk contributes to cybersecurity vulnerabilities" }, } { "riskID": "RISK-COMP-002", } "relationshipType": "consequence", } "relationshipStrength": 5, } }"description": "Data breach would trigger Regulatory Compliance Risk" }, ], "strategicMonitoringkeyRiskIndicators": [ { "typeindicatorName": "objectSecurity Incidents", "description": "HowNumber of risksecurity isincidents monitoreddetected inper strategymonth", "propertiescurrentValue": { "monitoringApproach": {"12", "typethreshold": "string", "25", "descriptiontrend": "stable"How, risk is tracked strategically" "monitoringFrequency": "daily" }, { "keyIndicatorsindicatorName": {"Vulnerability Remediation Time", "typedescription": "array",Average time to remediate critical vulnerabilities", "descriptioncurrentValue": "Strategic indicators being tracked", 1.8 days", "itemsthreshold": { "3 days", "typetrend": "stringimproving", } "monitoringFrequency": "weekly" }, "reviewFrequency": { "typeindicatorName": "string", "Phishing Simulation Success Rate", "description": "How often strategic risk is reviewed", Percentage of employees clicking on simulated phishing emails", "enumcurrentValue": ["monthly4.2%", "quarterly", "semi-annually", "annually", "event-driven"] "threshold": "5%", "trend": "stable", } "monitoringFrequency": "monthly" } } }, ], "contingencyPlansdependencies": {[ { "type": "array", "descriptiondependencyType": "Strategic contingencies for risk eventsCritical", "itemsdomainType": {"Capability", "typeentityID": "objectCAP-SECOPS-001", "propertiesdescription": {"Security Operations capability" }, "scenarioDescription": { "type"dependencyType": "stringImportant", "descriptiondomainType": "Risk scenarioInformation", }, "entityID": "INFO-DATA-003", "contingencyApproachdescription": { "Customer Data Security Classification Framework" } ], "typedocumentationReferences": "string",[ { "descriptiondocumentName": "PlannedInformation Security responsePolicy", "documentLocation": "Policy }, repository (IS-POL-001)", "triggerConditionsdocumentType": {"policy", "documentDate": "2024-12-15" "type": "string"}, { "descriptiondocumentName": "WhatAnnual Cybersecurity activatesRisk contingencyAssessment", "documentLocation": "Risk repository }(RISK-RPT-2025-01)", "documentType": "assessment", } }"documentDate": "2025-02-28" } }] } |
Risk
...
Management Domain Schema
Cross-Domain Relationship Mappings
| Info |
|---|
Add to JSON Schema Convert these Cross domain JSON schema snippets to tables |
Risk-Strategy Relationship Schema
| Code Block |
|---|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-CapabilityStrategy Relationship Schema",
"description": "Schema for relationships between Risk Management domain and CapabilityStrategy domain",
"type": "object",
"required": ["relationshipID", "riskID", "title", "relationshipType"],
"properties": {
"relationshipID": {
"type": "string",
"description": "Unique identifier for this relationship"
},
"riskID": {
"type": "string",
"description": "ID of the risk element"
},
"title": {
"type": "string",
"description": "Name of the capability"
},
"relationshipType": {
"type": "string",
"description": "Nature of the relationship",
"enum": ["risk-to-capability", "capability-to-risk", "mitigating-capability", "risk-generating-capability", "impacted-capability", "interdependent", "other"] strategy"
},
"relationshipStrengthrelationshipType": {
"type": "integerstring",
"description": "ImportanceNature of the thisrisk influence relationship (1-5)on strategy",
"minimumenum": 1["strategic-threat", "strategic-opportunity", "execution-risk", "enabler", "constraint", "context-factor", "success-factor", "maximumother": 5]
},
"riskImpactrelationshipStrength": {
"type": "objectinteger",
"description": "HowStrength riskof impacts capability",
"properties": {
"impactDescription": {
influence (1-5)",
"typeminimum": "string"1,
"descriptionmaximum": "Description of impact"
5
},
"impactSeverityriskFactors": {
"type": "stringarray",
"description": "Severity of impactRisk factors influencing this strategy",
"items": {
"enum": ["minimal", "moderate", "significant", "severetype",: "criticalstring"]
}
}, },
"impactScenariosstrategicImpact": {
"type": "arrayobject",
"description": "How risk impacts "description": "Specific impact scenarios",
strategic elements",
"properties": {
"itemsimpactDescription": {
"type": "string",
}
"description": "Description of impact"
} },
}, "capabilityControlsimpactSeverity": {
"type": "arraystring",
"description": "ControlsSeverity within capability addressing riskof impact",
"items": { "enum": ["minimal", "type": "object"moderate", "significant", "severe", "critical"]
"properties": {
},
"controlDescriptionpotentialOutcomes": {
"type": "stringarray",
"description": "DescriptionPossible ofstrategic control"
}outcomes",
"controlEffectivenessitems": {
"type": "string",
}
"description": "How well control works",}
}
},
"enumstrategicObjectives": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]{
"type": "array",
"description": "Strategic objectives affected by },
risk",
"implementationStatusitems": {
"type": "stringobject",
"properties": {
"description": "Status of implementation", "objectiveID": {
"enum": ["not-implemented", "planning", "in-progress", "implemented", "verified"] "type": "string",
} "description": "ID of strategic objective"
} },
}, "capabilityGapsriskImpact": {
"type": "array", "descriptiontype": "Capability gaps increasing riskstring",
"items": { "description": "How risk impacts this "typeobjective":
"object", "properties": { },
"gapDescriptionimportanceLevel": {
"type": "string",
"description": "DescriptionImportance ofto gapobjective"
,
}, "riskContribution": {
"type": "string",
"enum": ["minor", "moderate", "significant", "critical"]
}
"description": "How gap contributes to risk" }
},
},
"remediationriskAdjustments": {
"type": "stringarray",
"description": "PlanStrategic adjustments tomade addressfor gaprisk",
"items": {
} "type": "object",
} "properties": {
} }, "performanceMetricsadjustmentDescription": {
"type": "arraystring",
"description": "Metrics for measuring risk impact on"description": capability",
"items": {"Description of adjustment"
"type": "object", },
"propertiesadjustmentType": {
"metricNametype": {"string",
"typedescription": "stringType of adjustment",
"descriptionenum": ["scope-change", "timeline-adjustment", "resource-increase", "goal-modification"Name of metric", "approach-change", "other"]
},
"metricDescriptioneffectiveness": {
"type": "string",
"description": "WhatEffectiveness metricof measuresadjustment",
}, "currentValue"enum": {
"type": "string",["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
}
"description": "Current measurement" }
},
},
"targetValueriskAppetite": {
"type": "stringobject",
"description": "TargetStrategic risk valueappetite",
"properties": {
} }
}"appetiteLevel": {
}, "improvementInitiativestype": {"string",
"type": "array",
"description": "InitiativesLevel to improve capability for risk management",
"items": {of risk appetite",
"typeenum": ["averse", "objectminimalist", "cautious", "open", "seeking"]
"properties": { },
"initiativeDescriptionappetiteJustification": {
"type": "string",
"description": "DescriptionReason offor initiative"this appetite level"
},
"expectedOutcomevariationByObjective": {
"type": "stringarray",
"description": "Anticipated result"
How appetite varies by objective",
"items": {
} "type": "object",
"statusproperties": {
"typeobjectiveID": "string", {
"descriptiontype": "Current statusstring",
"enumdescription": ["proposedID of objective",
"approved", "in-progress", "completed", "canceled"] },
} }
"specificAppetite": {
}, "dependencyRisks": { "type": "arraystring",
"description": "RisksSpecific arisingappetite fromfor capabilitythis dependenciesobjective",
"items": { "typeenum": ["objectaverse", "minimalist", "properties": {
"cautious", "open", "seeking"]
"dependencyType": { }
"type": "string", }
"description": "Type of dependency" }
},
}
"dependentEntity": { },
"strategicMonitoring": {
"type": "stringobject",
"description": "WhatHow capabilityrisk dependsis on"monitored in strategy",
},"properties": {
"riskScenariomonitoringApproach": {
"type": "string",
"description": "Risk scenario created by dependency"
How risk is tracked strategically"
},
"keyIndicators": {
} "type": "array",
} "description": "Strategic indicators }being tracked",
} } } |
Strategic Response Model Integration
Risk-Related Strategic Responses Schema
| Code Block |
|---|
{ "$schemaitems": "http://json-schema.org/draft-07/schema#", { "title": "Risk-Related Strategic Responses Schema", "descriptiontype": "string"Schema for risk-related strategic responses in the Strategic Response Model", } "type": "object", "required": ["responseID", "responseTitle", "responseDescription", "triggerReferences", "rationaleReferences"] }, "properties": { "responseIDreviewFrequency": { "type": "string", "description": "AHow uniqueoften identifierstrategic forrisk theis strategicreviewed", response" }, "responseTitleenum": { "type": "string",["monthly", "quarterly", "semi-annually", "annually", "event-driven"] "description": "A concise title summarizing the strategic response"} } }, "responseTypecontingencyPlans": { "type": "stringarray", "description": "The classification of the response",Strategic contingencies for risk events", "items": { "enumtype": ["Risk_Preventionobject", "Risk_Mitigation", "Risk_Transfer", "Risk_Acceptance", "Control_Enhancement", "Incident_Response", "Business_Continuity", "Compliance_Program", "Risk_Governance"] "properties": { }, "responseDescriptionscenarioDescription": { "type": "string", "description": "Risk scenario"A detailed explanation of the strategic response, its objectives}, and scope" }, "riskIDscontingencyApproach": { "type": "arraystring", "description": "Planned "Risk elements this response addresses",response" }, "itemstriggerConditions": { "type": "string", } }, "triggerReferencesdescription": { "What activates contingency" "type": "array", } "description": "An array of triggerIDs that initiated} this strategic response", } "items": { } } } |
Risk-Capability Relationship Schema
| Code Block |
|---|
{ "type$schema": "string"http://json-schema.org/draft-07/schema#", } "title": "Risk-Capability Relationship Schema", }, "rationaleReferences": { "description": "Schema for relationships between Risk Management domain and Capability domain", "type": "arrayobject", "descriptionrequired": ["relationshipID"An array of rationaleIDs providing justification for this response", , "riskID", "title", "relationshipType"], "properties": { "itemsrelationshipID": { "type": "string", }"description": "Unique identifier for this relationship" }, "performanceIndicatorReferencesriskID": { "type": "arraystring", "description": "Metrics or KPIs that will be used to measure the success"description": "ID of the strategicrisk responseelement", }, "itemstitle": { "type": "string", }"description": "Name of the capability" }, "riskOutcomesrelationshipType": { "type": "arraystring", "description": "SpecificNature riskof management outcomes resulting from this responsethe relationship", "itemsenum": { "type": "object", "properties": { ["risk-to-capability", "capability-to-risk", "mitigating-capability", "risk-generating-capability", "impacted-capability", "interdependent", "other"] }, "outcomeDescriptionrelationshipStrength": { "type": "stringinteger", "description": "DescriptionImportance of risk outcome"this relationship (1-5)", }, "minimum": 1, "targetRiskLevelmaximum": {5 }, "typeriskImpact": "string",{ "description"type": "Desired risk level after responseobject", "enum": ["very-low", "low", "moderate", "high", "very-high"] "description": "How risk impacts capability", }, "properties": { "measurementApproachimpactDescription": { "type": "string", "description": "How outcome will be measured"Description of impact" }, } "impactSeverity": { } "type": "string", } }, "implementedControlsdescription": { "Severity of impact", "typeenum": ["arrayminimal", "moderate", "significant", "severe", "critical"] "description": "Risk controls implemented by this response"}, "itemsimpactScenarios": { "type": "objectarray", "propertiesdescription": { "Specific impact scenarios", "controlNameitems": { "type": "string", } "description": "Name of control" } }, }, "controlDescriptioncapabilityControls": { "type": "array", "typedescription": "string",Controls within capability addressing risk", "descriptionitems": "Description{ of control" }, "type": "object", "controlTypeproperties": { "typecontrolDescription": "string",{ "descriptiontype": "Type of controlstring", "enum": ["preventive", "detective", "corrective", "directive", "other"] "description": "Description of control" }, "implementationStatuscontrolEffectiveness": { "type": "string", "description": "StatusHow well ofcontrol implementationworks", "enum": ["plannedineffective", "inpartially-progresseffective", "implementedeffective", "highly-effective", "ineffectivenot-assessed"] }, } } }, "affectedDomains"implementationStatus": { "type": "array", "description": "A list of business architecture domains impacted by this response", "items": { "type": "string", "enumdescription": ["RiskStatus of implementation", "Strategy", "Capability", "Product", "Service", "Value_Stream", "Performance", "Information", "Organization "enum": ["not-implemented", "Initiativeplanning", "Customerin-progress", "Marketimplemented", "Financeverified"] } }, } "implementationPlan": { } "type": "object", }, "descriptioncapabilityGaps": "Plan{ outlining how the response will be executed"type": "array", "propertiesdescription": "Capability {gaps increasing risk", "phaseApproachitems": { "type": "stringobject", "descriptionproperties": "Phasing of implementation" { }, "keyActivitiesgapDescription": { "type": "arraystring", "description": "MajorDescription implementationof activities"gap" }, "itemsriskContribution": { "type": "string", "description": "How gap contributes to risk" } }, "resourcesremediation": { "type": "string", "description": "ResourcesPlan requiredto foraddress implementationgap" }, } "governanceStructure": { } }, "typeperformanceMetrics": "string", { "descriptiontype": "Governance over implementationarray", "description": "Metrics }for measuring risk impact on capability", } }, "riskMonitoring"items": { "type": "arrayobject", "descriptionproperties": "Ongoing{ risk monitoring approaches", "itemsmetricName": { "type": "objectstring", "propertiesdescription": { "Name of metric" }, "monitoringMethodmetricDescription": { "type": "string", "description": "MethodWhat formetric monitoringmeasures" }, "keyIndicatorscurrentValue": { "type": "arraystring", "description": "Current measurement" "description": "Indicators being monitored"}, "itemstargetValue": { "type": "string", }"description": "Target value" }, } "frequency": { } }, "typeimprovementInitiatives": "string", { "descriptiontype": "How often monitoring occursarray", "description": "Initiatives to improve capability for "enum": ["continuousrisk management", "daily", "weekly", "monthly", "quarterly", "annually", "event-driven"] "items": { "type": "object", } "properties": }{ } },"initiativeDescription": { "expectedOutcomes": { "type": "string", "description": "A description of the anticipated results or benefits from implementing the response"Description of initiative" }, }, "responsibleOrgUnitsexpectedOutcome": { "type": "array", "descriptiontype": "string"Organisation, units accountable for executing the strategic response", "itemsdescription": {"Anticipated result" "type": "string" }, } },"status": { "startDate": { "type": "string", "format": "date", "description": "The planned start date for implementing the strategic response"Current status", }, "endDateenum": { ["proposed", "approved", "in-progress", "completed", "canceled"] "type": "string", "format": "date",} "description": "The planned completion date for the strategic response" } } }, "statusdependencyRisks": { "type": "stringarray", "description": "TheRisks currentarising statusfrom of the strategic responsecapability dependencies", "enumitems": ["Planned", "In_Progress", "Completed", "Deferred", "Cancelled"]{ "type": "object", "properties": { }, "lastUpdateddependencyType": { "type": "string", "format": "date", "description": "TheType date when the strategic response record was last updated"of dependency" }, "residualRiskAssessmentdependentEntity": { "type": "string", "description": "Assessment of risk remaining after response implementation"What capability depends on" }, "strategicThemes "riskScenario": { "type": "array",string", "description": "AnRisk arrayscenario ofcreated strategicby prioritiesdependency" that this initiative supports", "items":} { } "type": "string" } } } } |
Risk Management Domain Schema Properties
...
Property | Description | Example |
|---|---|---|
monitoringID | Unique identifier for the risk monitoring activity | "MON-CYBER-002" |
monitoringTitle | Name of the specific risk monitoring activity | "Cybersecurity Risk Monitoring Program" |
description | Detailed explanation of the risk monitoring activity | "Continuous monitoring of key risk indicators and control effectiveness" |
orgUnitTitle | Organization unit responsible for this monitoring | "Security Operations Center" |
monitoredRisks | Risks being monitored | [{"riskID": "RISK-CYBER-001", "monitoringPriority": "high"}] |
keyRiskIndicators | Indicators being tracked | [{"indicatorName": "Security Incidents", "currentValue": "12"}] |
monitoringFrequency | Frequency of monitoring activities | {"reviewCycle": "continuous", "justification": "Critical risk requiring real-time visibility"} |
monitoringMethods | Approaches used for monitoring | [{"methodName": "SIEM Analytics", "automationLevel": "fully-automated"}] |
earlyWarningSystem | System for early detection of risk changes | {"alertMechanisms": ["Automated alerts", "Dashboard indicators"]} |
monitoringResponsibilities | People responsible for monitoring | [{"role": "SOC Analyst", "responsibilities": ["Monitor alerts", "Initial triage"]}] |
reportingStructure | How monitoring results are reported | {"reportTypes": [{"reportName": "Weekly Security Status", "reportFrequency": "weekly"}]} |
technologySystems | Systems supporting monitoring | [{"systemName": "Security Information & Event Management", "systemFunction": "Log analysis"}] |
dataManagement | How monitoring data is managed | {"dataSources": ["Firewall logs", "IDS alerts", "Authentication logs"]} |
historicalPerformance | History of monitoring effectiveness | {"successRate": "93% of incidents detected by monitoring systems"} |
Schema Evolution Guidance
The Risk Management Domain schema is expected to evolve with emerging practices in risk management. Future extensions may include:
Enhanced predictive risk analytics
AI-assisted risk identification and assessment
Dynamic risk modeling capabilities
Operational resilience frameworks
Cyber and digital risk extensions
Integrated governance, risk, and compliance models
Organizations should plan for these evolutions by maintaining clean taxonomies and clear relationship models in their current implementation.