Documentation
What is the Risk Management Domain?
The Risk Management domain represents the structured approach to identifying, assessing, mitigating, monitoring, and responding to risks across the organization. This domain provides a comprehensive framework for modeling risk profiles, assessment methodologies, control mechanisms, and response strategies, enabling risk-centric analysis that drives strategic planning, operational resilience, and compliance management.
The domain extends the Orthogramic Metamodel by providing deeper insights into risk factors, control effectiveness, and mitigation approaches, enabling organizations to align their capabilities, value streams, and strategies with risk appetite and tolerance thresholds.
Purpose and Value
The Risk Management Domain enables organizations to:
Systematically identify and categorize risks that could impact strategic, operational, and compliance objectives
Assess and prioritize risks based on likelihood, impact, and organizational context
Develop and implement appropriate control mechanisms and mitigation strategies
Monitor risk indicators and control effectiveness over time
Support data-driven decision making about risk acceptance, reduction, transfer, or avoidance
Drive resilience through improved visibility into risk interdependencies
Provide a structured foundation for governance, compliance, and assurance activities
Ensure consistent risk management practices across the enterprise
Core Concepts
Risk Profile
A comprehensive view of a specific risk, including its characteristics, potential impacts, and management approaches. Risk profiles provide a way to understand and communicate the nature of risks, their significance to the organization, and how they are being addressed.
Risk Assessment
A structured evaluation of identified risks, including analysis of causes, impacts, likelihood, and prioritization. Risk assessment methodologies enable consistent approaches to risk evaluation across the organization.
Risk Control
A mechanism, process, or measure implemented to modify risk by reducing likelihood, impact, or both. Controls provide the means to manage risks within acceptable thresholds.
Risk Response
An organized approach to addressing risks through avoidance, reduction, transfer, or acceptance strategies. Response planning ensures appropriate action for prioritized risks.
Risk Monitoring
Ongoing observation and evaluation of risk status, trends, and control effectiveness. Monitoring frameworks provide early warning of changing risk profiles.
Domain Structure
Domain Attributes
Basic identification: title, description, riskCategory
Organizational alignment: orgUnitTitle, orgUnitRoles, riskOwner
Risk characteristics: riskSource, riskProbability, riskImpact, riskSeverity
Management factors: riskTolerance, riskStatus, mitigationStrategy, residualRisk
External factors: regulatoryImplications, emergingFactors
Strategic implications: strategicImplications, relevantObjectives
Domain Elements
Risk Assessment Element
Provides a structured approach to evaluating risks:
Assessment methodologies and frameworks
Scope and boundaries of evaluation
Criteria for risk evaluation
Findings and recommendations
Prioritization and ranking
Participant roles and responsibilities
Risk Control Element
Maps the mechanisms used to modify risk:
Control type and design
Implementation status and effectiveness
Testing and validation approaches
Ownership and responsibilities
Documentation and evidence
Standards and benchmarks
Risk Response Element
Analyzes the strategic approaches to risk management:
Response strategy selection
Implementation planning and resources
Success criteria and measurements
Progress tracking and reporting
Review and effectiveness evaluation
Continuous improvement processes
Risk Monitoring Element
Evaluates ongoing risk observation and tracking:
Key risk indicators
Monitoring frequency and methods
Threshold definitions and alerts
Trend analysis approaches
Escalation pathways
Reporting structures
Implementation Guidelines
Getting Started
Begin by identifying and documenting key risk categories
Select a high-priority risk and create a detailed risk profile
Document the assessment methodology used to evaluate risks
Map major control mechanisms and their effectiveness
Define response strategies for priority risks
Best Practices
Ensure risk profiles have clear ownership and accountability
Base risk assessments on consistent and objective criteria
Update risk evaluations regularly as internal and external factors change
Connect risk elements to strategic decisions and operational capabilities
Involve multiple perspectives in risk analysis to avoid bias
Maintain a balance between risk control costs and potential impact
Common Pitfalls to Avoid
Creating overly complex risk categorization that dilutes management focus
Basing risk assessments on assumptions rather than evidence
Failing to connect risk analysis to strategic and operational domains
Not updating risk profiles as business context evolves
Focusing exclusively on risk avoidance while missing positive risk (opportunity)
Overlooking risk interdependencies and cascading effects
Schema Evolution Guidance
The Risk Management Domain schema is expected to evolve with emerging practices in risk management. Future extensions may include:
Enhanced predictive risk analytics
AI-assisted risk identification and assessment
Dynamic risk modeling capabilities
Operational resilience frameworks
Cyber and digital risk extensions
Integrated governance, risk, and compliance models
Organizations should plan for these evolutions by maintaining clean taxonomies and clear relationship models in their current implementation.
Conclusion
The Risk Management Domain extends the Orthogramic Metamodel with a robust framework for modeling and managing risk-related aspects of business architecture. By providing structured schemas for risk profiles, assessments, controls, responses, and monitoring approaches, it enables organizations to systematically align their capabilities, value streams, and strategies with risk management objectives.
The integration with the Strategic Response Model ensures that risk insights drive strategic decision-making and organizational change. This domain complements other domains by focusing on the uncertainty dimensions that affect organizational activities, providing critical context for strategic planning and operational execution.
Organizations can use this domain to develop a more comprehensive understanding of their risk landscape, implement effective controls, and ensure that strategic initiatives properly account for risk factors in design and execution.
Risk Management Domain Schema
Risk Management Domain Attributes
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk Management Domain Schema",
"description": "Schema for the Risk Management domain in the Orthogramic Metamodel",
"type": "object",
"required": ["riskID", "title", "description", "riskCategory", "orgUnitTitle"],
"properties": {
"riskID": {
"type": "string",
"description": "Unique identifier for the risk element"
},
"title": {
"type": "string",
"description": "The name or title of the risk"
},
"description": {
"type": "string",
"description": "A detailed explanation of the risk"
},
"riskCategory": {
"type": "string",
"description": "Classification of risk type",
"enum": ["strategic", "operational", "financial", "compliance", "reputational", "technology", "legal", "environmental", "market", "project", "people", "supply-chain", "other"]
},
"orgUnitTitle": {
"type": "string",
"description": "The organization unit(s) responsible for managing this risk"
},
"orgUnitRoles": {
"type": "array",
"description": "Specific roles within the organization unit that manage this risk",
"items": {
"type": "string"
}
},
"riskSource": {
"type": "string",
"description": "Origin of the risk",
"enum": ["internal", "external", "hybrid"]
},
"riskOwner": {
"type": "string",
"description": "Individual or role responsible for risk management"
},
"riskProbability": {
"type": "object",
"description": "Likelihood of risk occurrence",
"properties": {
"level": {
"type": "string",
"description": "Qualitative probability level",
"enum": ["very-low", "low", "moderate", "high", "very-high"]
},
"numericValue": {
"type": "number",
"description": "Quantitative probability (0-1 or percentage)"
},
"rationale": {
"type": "string",
"description": "Explanation for probability assessment"
},
"timeHorizon": {
"type": "string",
"description": "Time period for probability assessment"
}
}
},
"riskImpact": {
"type": "object",
"description": "Potential effect if risk is realized",
"properties": {
"level": {
"type": "string",
"description": "Qualitative impact level",
"enum": ["negligible", "minor", "moderate", "major", "severe"]
},
"financialImpact": {
"type": "string",
"description": "Monetary impact estimation"
},
"nonFinancialImpacts": {
"type": "array",
"description": "Non-monetary impacts",
"items": {
"type": "object",
"properties": {
"impactType": {
"type": "string",
"description": "Type of non-financial impact",
"enum": ["reputational", "operational", "regulatory", "safety", "environmental", "strategic", "other"]
},
"description": {
"type": "string",
"description": "Description of the impact"
},
"severity": {
"type": "string",
"description": "Severity of this impact",
"enum": ["low", "medium", "high", "critical"]
}
}
}
},
"rationale": {
"type": "string",
"description": "Explanation for impact assessment"
}
}
},
"riskSeverity": {
"type": "object",
"description": "Combined measure of probability and impact",
"properties": {
"level": {
"type": "string",
"description": "Overall risk severity",
"enum": ["very-low", "low", "moderate", "high", "very-high"]
},
"score": {
"type": "number",
"description": "Numerical risk score"
},
"calculationMethod": {
"type": "string",
"description": "Method used to determine severity"
}
}
},
"riskTolerance": {
"type": "object",
"description": "Acceptable level of this risk",
"properties": {
"toleranceLevel": {
"type": "string",
"description": "Organizational tolerance for this risk",
"enum": ["zero-tolerance", "low", "moderate", "high", "case-by-case"]
},
"thresholds": {
"type": "array",
"description": "Specific tolerance thresholds",
"items": {
"type": "object",
"properties": {
"metricName": {
"type": "string",
"description": "Name of threshold metric"
},
"thresholdValue": {
"type": "string",
"description": "Value that triggers action"
},
"responseRequired": {
"type": "string",
"description": "Action required when threshold is crossed"
}
}
}
},
"rationale": {
"type": "string",
"description": "Explanation for tolerance level"
}
}
},
"riskStatus": {
"type": "string",
"description": "Current status in management lifecycle",
"enum": ["identified", "assessed", "accepted", "mitigated", "transferred", "avoided", "realized", "closed"]
},
"mitigationStrategy": {
"type": "object",
"description": "Approach to risk reduction",
"properties": {
"approachType": {
"type": "string",
"description": "Primary risk response type",
"enum": ["accept", "reduce", "transfer", "avoid", "exploit", "share", "enhance", "contingent"]
},
"description": {
"type": "string",
"description": "Description of mitigation approach"
},
"expectedOutcome": {
"type": "string",
"description": "Anticipated result of mitigation"
},
"implementationStatus": {
"type": "string",
"description": "Current status of implementation",
"enum": ["not-started", "planned", "in-progress", "implemented", "verified", "ineffective", "abandoned"]
}
}
},
"residualRisk": {
"type": "object",
"description": "Risk remaining after controls",
"properties": {
"level": {
"type": "string",
"description": "Level of remaining risk",
"enum": ["very-low", "low", "moderate", "high", "very-high"]
},
"acceptableLevel": {
"type": "boolean",
"description": "Whether residual risk is acceptable"
},
"description": {
"type": "string",
"description": "Description of residual risk"
},
"additionalControls": {
"type": "array",
"description": "Additional controls needed",
"items": {
"type": "string"
}
}
}
},
"controlEffectiveness": {
"type": "object",
"description": "Effectiveness of current controls",
"properties": {
"level": {
"type": "string",
"description": "Overall effectiveness level",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
},
"lastAssessment": {
"type": "string",
"format": "date",
"description": "Date of last effectiveness assessment"
},
"improvementNeeds": {
"type": "array",
"description": "Areas needing improvement",
"items": {
"type": "string"
}
}
}
},
"reviewFrequency": {
"type": "string",
"description": "How often risk is reassessed",
"enum": ["continuous", "daily", "weekly", "monthly", "quarterly", "semi-annually", "annually", "event-triggered"]
},
"lastReviewDate": {
"type": "string",
"format": "date",
"description": "Date of last formal risk review"
},
"nextReviewDate": {
"type": "string",
"format": "date",
"description": "Scheduled date for next review"
},
"regulatoryImplications": {
"type": "array",
"description": "Compliance aspects of this risk",
"items": {
"type": "object",
"properties": {
"regulationType": {
"type": "string",
"description": "Type of regulation"
},
"regulationName": {
"type": "string",
"description": "Name of specific regulation"
},
"implications": {
"type": "string",
"description": "How regulation relates to risk"
},
"complianceStatus": {
"type": "string",
"description": "Current compliance status",
"enum": ["compliant", "non-compliant", "partially-compliant", "not-applicable", "under-review"]
}
}
}
},
"strategicImplications": {
"type": "object",
"description": "Impact on strategic objectives",
"properties": {
"overallImpact": {
"type": "string",
"description": "General strategic impact",
"enum": ["enabling", "impeding", "neutral", "mixed"]
},
"affectedObjectives": {
"type": "array",
"description": "Strategic objectives affected",
"items": {
"type": "object",
"properties": {
"objectiveID": {
"type": "string",
"description": "Identifier of affected objective"
},
"impactDescription": {
"type": "string",
"description": "Description of impact on objective"
},
"impactSeverity": {
"type": "string",
"description": "Severity of impact",
"enum": ["minor", "moderate", "significant", "critical"]
}
}
}
}
}
},
"emergingFactors": {
"type": "array",
"description": "Developing influences on this risk",
"items": {
"type": "object",
"properties": {
"factorName": {
"type": "string",
"description": "Name of emerging factor"
},
"description": {
"type": "string",
"description": "Description of the factor"
},
"potentialImpact": {
"type": "string",
"description": "How factor may change risk profile"
},
"timeHorizon": {
"type": "string",
"description": "When factor may become significant",
"enum": ["immediate", "short-term", "medium-term", "long-term", "uncertain"]
},
"monitoringApproach": {
"type": "string",
"description": "How this factor is being tracked"
}
}
}
},
"relatedRisks": {
"type": "array",
"description": "Relationships to other risks",
"items": {
"type": "object",
"properties": {
"riskID": {
"type": "string",
"description": "ID of related risk"
},
"relationshipType": {
"type": "string",
"description": "Type of relationship",
"enum": ["parent", "child", "contributor", "consequence", "similar", "opposing", "compound", "other"]
},
"relationshipStrength": {
"type": "integer",
"description": "Strength of relationship (1-5)",
"minimum": 1,
"maximum": 5
},
"description": {
"type": "string",
"description": "Description of the relationship"
}
}
}
},
"keyRiskIndicators": {
"type": "array",
"description": "Metrics used to monitor this risk",
"items": {
"type": "object",
"properties": {
"indicatorName": {
"type": "string",
"description": "Name of risk indicator"
},
"description": {
"type": "string",
"description": "Description of the indicator"
},
"currentValue": {
"type": "string",
"description": "Present measurement"
},
"threshold": {
"type": "string",
"description": "Value that triggers action"
},
"trend": {
"type": "string",
"description": "Direction of indicator movement",
"enum": ["improving", "stable", "worsening", "fluctuating", "not-tracked"]
},
"monitoringFrequency": {
"type": "string",
"description": "How often indicator is measured"
}
}
}
},
"dependencies": {
"type": "array",
"description": "Other domains, processes, or systems related to this risk",
"items": {
"type": "object",
"properties": {
"dependencyType": {
"type": "string",
"description": "Type of dependency"
},
"domainType": {
"type": "string",
"description": "Type of domain this depends on",
"enum": ["Capability", "Service", "Product", "Information", "Value Stream", "Strategy", "Organization", "Technology", "Initiative", "Customer", "Market", "Finance", "Other"]
},
"entityID": {
"type": "string",
"description": "ID of the entity being depended upon"
},
"description": {
"type": "string",
"description": "Description of the dependency"
}
}
}
},
"documentationReferences": {
"type": "array",
"description": "References to detailed documentation",
"items": {
"type": "object",
"properties": {
"documentName": {
"type": "string",
"description": "Name of document"
},
"documentLocation": {
"type": "string",
"description": "Where document is stored"
},
"documentType": {
"type": "string",
"description": "Type of document",
"enum": ["policy", "procedure", "assessment", "report", "plan", "control-description", "other"]
},
"documentDate": {
"type": "string",
"format": "date",
"description": "Date of document"
}
}
}
}
}
}
Risk Assessment Element Schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk Assessment Schema",
"description": "Schema for Risk Assessment element in the Risk Management domain",
"type": "object",
"required": ["assessmentID", "assessmentTitle", "description", "orgUnitTitle"],
"properties": {
"assessmentID": {
"type": "string",
"description": "Unique identifier for the risk assessment"
},
"assessmentTitle": {
"type": "string",
"description": "Name of the specific risk assessment"
},
"description": {
"type": "string",
"description": "Detailed explanation of the risk assessment"
},
"orgUnitTitle": {
"type": "string",
"description": "The organization unit responsible for conducting this assessment"
},
"riskID": {
"type": "string",
"description": "ID of the risk domain this assessment belongs to"
},
"assessmentMethod": {
"type": "string",
"description": "Methodology used for assessment",
"enum": ["qualitative", "semi-quantitative", "quantitative", "scenario-based", "workshop", "expert-judgment", "historical-analysis", "model-based", "other"]
},
"assessmentScope": {
"type": "object",
"description": "Boundaries of the assessment",
"properties": {
"inScope": {
"type": "array",
"description": "Areas explicitly included",
"items": {
"type": "string"
}
},
"outOfScope": {
"type": "array",
"description": "Areas explicitly excluded",
"items": {
"type": "string"
}
},
"scopeRationale": {
"type": "string",
"description": "Explanation for scope boundaries"
}
}
},
"assessmentContext": {
"type": "string",
"description": "Business context for the assessment"
},
"assessmentDate": {
"type": "object",
"description": "When assessment was conducted",
"properties": {
"startDate": {
"type": "string",
"format": "date",
"description": "When assessment began"
},
"completionDate": {
"type": "string",
"format": "date",
"description": "When assessment was completed"
},
"validityPeriod": {
"type": "string",
"description": "How long assessment remains valid"
}
}
},
"assessmentParticipants": {
"type": "array",
"description": "People involved in assessment",
"items": {
"type": "object",
"properties": {
"participantName": {
"type": "string",
"description": "Name of participant"
},
"participantRole": {
"type": "string",
"description": "Organizational role"
},
"participationType": {
"type": "string",
"description": "Nature of participation",
"enum": ["facilitator", "subject-matter-expert", "stakeholder", "risk-owner", "reviewer", "approver", "other"]
}
}
}
},
"riskCriteria": {
"type": "object",
"description": "Criteria for evaluating risks",
"properties": {
"probabilityCriteria": {
"type": "array",
"description": "Criteria for likelihood assessment",
"items": {
"type": "object",
"properties": {
"level": {
"type": "string",
"description": "Probability level"
},
"definition": {
"type": "string",
"description": "Definition of this level"
},
"quantitativeRange": {
"type": "string",
"description": "Numerical range if applicable"
}
}
}
},
"impactCriteria": {
"type": "array",
"description": "Criteria for impact assessment",
"items": {
"type": "object",
"properties": {
"level": {
"type": "string",
"description": "Impact level"
},
"definition": {
"type": "string",
"description": "Definition of this level"
},
"quantitativeRange": {
"type": "string",
"description": "Numerical range if applicable"
}
}
}
},
"riskCalculation": {
"type": "string",
"description": "How risk scores are calculated"
}
}
},
"identifiedRisks": {
"type": "array",
"description": "Risks discovered during assessment",
"items": {
"type": "object",
"properties": {
"riskID": {
"type": "string",
"description": "Identifier for this risk"
},
"riskTitle": {
"type": "string",
"description": "Brief name for the risk"
},
"riskDescription": {
"type": "string",
"description": "Detailed description"
},
"riskCauses": {
"type": "array",
"description": "Factors that could cause this risk",
"items": {
"type": "string"
}
},
"riskConsequences": {
"type": "array",
"description": "Potential outcomes if risk materializes",
"items": {
"type": "string"
}
},
"existingControls": {
"type": "array",
"description": "Controls already in place",
"items": {
"type": "string"
}
},
"controlEffectiveness": {
"type": "string",
"description": "How well existing controls work",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
},
"inherentRiskLevel": {
"type": "string",
"description": "Risk level without controls",
"enum": ["very-low", "low", "moderate", "high", "very-high"]
},
"residualRiskLevel": {
"type": "string",
"description": "Risk level with controls",
"enum": ["very-low", "low", "moderate", "high", "very-high"]
}
}
}
},
"riskRankings": {
"type": "array",
"description": "Prioritization of risks",
"items": {
"type": "object",
"properties": {
"riskID": {
"type": "string",
"description": "Risk identifier"
},
"rankingScore": {
"type": "number",
"description": "Numerical ranking score"
},
"priority": {
"type": "string",
"description": "Priority level",
"enum": ["low", "medium", "high", "critical"]
},
"rationaleForRanking": {
"type": "string",
"description": "Explanation for ranking"
}
}
}
},
"assessmentFindings": {
"type": "array",
"description": "Key outcomes and insights",
"items": {
"type": "object",
"properties": {
"findingTitle": {
"type": "string",
"description": "Brief title of finding"
},
"findingDescription": {
"type": "string",
"description": "Detailed description"
},
"findingCategory": {
"type": "string",
"description": "Type of finding",
"enum": ["risk-identification", "control-gap", "improvement-opportunity", "positive-observation", "compliance-issue", "other"]
},
"findingSeverity": {
"type": "string",
"description": "Severity of finding",
"enum": ["informational", "low", "medium", "high", "critical"]
}
}
}
},
"assessmentRecommendations": {
"type": "array",
"description": "Suggested actions",
"items": {
"type": "object",
"properties": {
"recommendationTitle": {
"type": "string",
"description": "Brief title of recommendation"
},
"recommendationDescription": {
"type": "string",
"description": "Detailed description"
},
"relatedFindingIDs": {
"type": "array",
"description": "Findings this addresses",
"items": {
"type": "string"
}
},
"recommendationPriority": {
"type": "string",
"description": "Implementation priority",
"enum": ["low", "medium", "high", "critical"]
},
"suggestedOwner": {
"type": "string",
"description": "Who should implement"
},
"timeframe": {
"type": "string",
"description": "Suggested timeframe",
"enum": ["immediate", "short-term", "medium-term", "long-term"]
}
}
}
},
"assessmentOwner": {
"type": "string",
"description": "Responsible party for assessment"
},
"assessmentApproval": {
"type": "array",
"description": "Approval information",
"items": {
"type": "object",
"properties": {
"approverName": {
"type": "string",
"description": "Name of approver"
},
"approverRole": {
"type": "string",
"description": "Role of approver"
},
"approvalDate": {
"type": "string",
"format": "date",
"description": "Date of approval"
},
"approvalNotes": {
"type": "string",
"description": "Additional notes"
}
}
}
},
"nextAssessment": {
"type": "object",
"description": "Timing for follow-up",
"properties": {
"plannedDate": {
"type": "string",
"format": "date",
"description": "When next assessment is planned"
},
"triggerEvents": {
"type": "array",
"description": "Events that would prompt reassessment",
"items": {
"type": "string"
}
},
"scopeChanges": {
"type": "string",
"description": "Expected changes to scope"
}
}
},
"assessmentMethodology": {
"type": "object",
"description": "Details of methodology used",
"properties": {
"frameworkReference": {
"type": "string",
"description": "Reference to methodology framework"
},
"assessmentTools": {
"type": "array",
"description": "Tools used in assessment",
"items": {
"type": "string"
}
},
"dataSourcesUsed": {
"type": "array",
"description": "Sources of assessment data",
"items": {
"type": "string"
}
},
"limitationsAndAssumptions": {
"type": "array",
"description": "Key limitations or assumptions",
"items": {
"type": "string"
}
}
}
},
"documentationReferences": {
"type": "array",
"description": "Reference documentation",
"items": {
"type": "object",
"properties": {
"documentName": {
"type": "string",
"description": "Name of document"
},
"documentType": {
"type": "string",
"description": "Type of document"
},
"location": {
"type": "string",
"description": "Where document is stored"
}
}
}
}
}
}
Risk Control Element Schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk Control Schema",
"description": "Schema for Risk Control element in the Risk Management domain",
"type": "object",
"required": ["controlID", "controlTitle", "description", "orgUnitTitle"],
"properties": {
"controlID": {
"type": "string",
"description": "Unique identifier for the risk control"
},
"controlTitle": {
"type": "string",
"description": "Name of the specific risk control"
},
"description": {
"type": "string",
"description": "Detailed explanation of the risk control"
},
"orgUnitTitle": {
"type": "string",
"description": "The organization unit responsible for this control"
},
"riskID": {
"type": "string",
"description": "ID of the risk domain this control belongs to"
},
"controlType": {
"type": "string",
"description": "Type of control measure",
"enum": ["preventive", "detective", "corrective", "directive", "deterrent", "recovery", "compensating", "other"]
},
"controlCategory": {
"type": "string",
"description": "Functional category of control",
"enum": ["administrative", "technical", "physical", "operational", "managerial", "procedural", "contractual", "other"]
},
"controlMethod": {
"type": "string",
"description": "How control operates",
"enum": ["automated", "manual", "hybrid", "systemic", "periodic", "continuous", "other"]
},
"controlObjective": {
"type": "string",
"description": "What the control aims to achieve"
},
"implementationStatus": {
"type": "string",
"description": "Current implementation state",
"enum": ["not-implemented", "planning", "implementing", "operational", "decommissioning", "replaced", "not-applicable"]
},
"implementationDate": {
"type": "string",
"format": "date",
"description": "When control was/will be implemented"
},
"controlEffectiveness": {
"type": "object",
"description": "How well control works",
"properties": {
"designEffectiveness": {
"type": "string",
"description": "How well control is designed",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
},
"operationalEffectiveness": {
"type": "string",
"description": "How well control operates",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
},
"lastAssessmentDate": {
"type": "string",
"format": "date",
"description": "When effectiveness was last assessed"
},
"improvementAreas": {
"type": "array",
"description": "Areas needing improvement",
"items": {
"type": "string"
}
}
}
},
"controlOwner": {
"type": "string",
"description": "Responsible party for implementation and operation"
},
"controlOperator": {
"type": "string",
"description": "Party responsible for day-to-day operation"
},
"controlCost": {
"type": "object",
"description": "Cost of implementation and maintenance",
"properties": {
"implementationCost": {
"type": "number",
"description": "One-time implementation cost"
},
"recurringCost": {
"type": "number",
"description": "Ongoing maintenance cost"
},
"costPeriod": {
"type": "string",
"description": "Period for recurring cost",
"enum": ["monthly", "quarterly", "annually", "one-time"]
},
"costBenefitAssessment": {
"type": "string",
"description": "Analysis of cost vs. benefit"
}
}
},
"controlDocumentation": {
"type": "array",
"description": "Reference documentation",
"items": {
"type": "object",
"properties": {
"documentName": {
"type": "string",
"description": "Name of document"
},
"documentType": {
"type": "string",
"description": "Type of document",
"enum": ["policy", "procedure", "guideline", "standard", "work-instruction", "technical-specification", "other"]
},
"location": {
"type": "string",
"description": "Where document is stored"
},
"lastUpdated": {
"type": "string",
"format": "date",
"description": "When document was last updated"
}
}
}
},
"controlTesting": {
"type": "object",
"description": "How and when control is tested",
"properties": {
"testingMethod": {
"type": "string",
"description": "Approach to testing",
"enum": ["inspection", "observation", "inquiry", "analysis", "re-performance", "automated-monitoring", "other"]
},
"testingFrequency": {
"type": "string",
"description": "How often testing occurs",
"enum": ["continuous", "daily", "weekly", "monthly", "quarterly", "semi-annually", "annually", "ad-hoc"]
},
"lastTestDate": {
"type": "string",
"format": "date",
"description": "When last tested"
},
"lastTestResult": {
"type": "string",
"description": "Outcome of last test",
"enum": ["passed", "failed", "passed-with-exceptions", "not-tested"]
},
"testingResponsibility": {
"type": "string",
"description": "Who conducts testing"
}
}
},
"controlledRisks": {
"type": "array",
"description": "Risks addressed by this control",
"items": {
"type": "object",
"properties": {
"riskID": {
"type": "string",
"description": "ID of controlled risk"
},
"controlRelevance": {
"type": "string",
"description": "How control addresses risk"
},
"controlWeight": {
"type": "integer",
"description": "Importance of control for this risk (1-5)",
"minimum": 1,
"maximum": 5
}
}
}
},
"relatedControls": {
"type": "array",
"description": "Other linked control measures",
"items": {
"type": "object",
"properties": {
"controlID": {
"type": "string",
"description": "ID of related control"
},
"relationshipType": {
"type": "string",
"description": "Type of relationship",
"enum": ["prerequisite", "dependent", "complementary", "redundant", "conflicting", "alternative", "other"]
},
"relationshipDescription": {
"type": "string",
"description": "Description of relationship"
}
}
}
},
"controlStandards": {
"type": "array",
"description": "Standards applied to this control",
"items": {
"type": "object",
"properties": {
"standardName": {
"type": "string",
"description": "Name of standard"
},
"standardReference": {
"type": "string",
"description": "Reference within standard"
},
"complianceStatus": {
"type": "string",
"description": "Compliance with standard",
"enum": ["compliant", "non-compliant", "partially-compliant", "not-applicable", "under-review"]
}
}
}
},
"controlReview": {
"type": "object",
"description": "Review process for this control",
"properties": {
"reviewFrequency": {
"type": "string",
"description": "How often control is reviewed",
"enum": ["monthly", "quarterly", "semi-annually", "annually", "event-driven"]
},
"lastReviewDate": {
"type": "string",
"format": "date",
"description": "Date of last review"
},
"nextReviewDate": {
"type": "string",
"format": "date",
"description": "Planned date for next review"
},
"reviewResponsibility": {
"type": "string",
"description": "Who conducts reviews"
}
}
},
"implementationDetails": {
"type": "object",
"description": "Specifics of control implementation",
"properties": {
"implementationSteps": {
"type": "array",
"description": "Steps to implement the control",
"items": {
"type": "string"
}
},
"systemsDependencies": {
"type": "array",
"description": "IT systems involved",
"items": {
"type": "string"
}
},
"resources": {
"type": "array",
"description": "Resources needed",
"items": {
"type": "string"
}
},
"skillsRequired": {
"type": "array",
"description": "Skills needed for implementation",
"items": {
"type": "string"
}
}
}
},
"exceptionsProcess": {
"type": "string",
"description": "Process for handling control exceptions"
}
}
}
Risk Response Element Schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk Response Schema",
"description": "Schema for Risk Response element in the Risk Management domain",
"type": "object",
"required": ["responseID", "responseTitle", "description", "orgUnitTitle"],
"properties": {
"responseID": {
"type": "string",
"description": "Unique identifier for the risk response"
},
"responseTitle": {
"type": "string",
"description": "Name of the specific risk response"
},
"description": {
"type": "string",
"description": "Detailed explanation of the risk response"
},
"orgUnitTitle": {
"type": "string",
"description": "The organization unit responsible for this response"
},
"riskID": {
"type": "string",
"description": "ID of the risk domain this response belongs to"
},
"responseStrategy": {
"type": "string",
"description": "Approach to handling risk",
"enum": ["avoid", "reduce", "transfer", "accept", "exploit", "share", "enhance", "contingent"]
},
"responseDescription": {
"type": "string",
"description": "Detailed explanation of response approach"
},
"targetedRisks": {
"type": "array",
"description": "Risks being addressed",
"items": {
"type": "object",
"properties": {
"riskID": {
"type": "string",
"description": "ID of targeted risk"
},
"riskLevel": {
"type": "string",
"description": "Current risk level",
"enum": ["very-low", "low", "moderate", "high", "very-high"]
},
"targetRiskLevel": {
"type": "string",
"description": "Desired risk level after response",
"enum": ["very-low", "low", "moderate", "high", "very-high"]
},
"responseRelevance": {
"type": "string",
"description": "How response addresses risk"
}
}
}
},
"responseOwner": {
"type": "string",
"description": "Responsible party"
},
"responsePriority": {
"type": "string",
"description": "Priority level",
"enum": ["low", "medium", "high", "critical"]
},
"responseStatus": {
"type": "string",
"description": "Current implementation status",
"enum": ["not-started", "planning", "in-progress", "implemented", "completed", "canceled", "deferred"]
},
"responseTimeline": {
"type": "object",
"description": "Implementation schedule",
"properties": {
"startDate": {
"type": "string",
"format": "date",
"description": "When implementation begins"
},
"targetEndDate": {
"type": "string",
"format": "date",
"description": "Planned completion date"
},
"actualEndDate": {
"type": "string",
"format": "date",
"description": "Actual completion date"
},
"milestones": {
"type": "array",
"description": "Key milestones",
"items": {
"type": "object",
"properties": {
"milestoneName": {
"type": "string",
"description": "Name of milestone"
},
"milestoneDate": {
"type": "string",
"format": "date",
"description": "Target date"
},
"milestoneStatus": {
"type": "string",
"description": "Current status",
"enum": ["not-started", "in-progress", "completed", "delayed", "at-risk", "canceled"]
}
}
}
}
}
},
"responseSuccess": {
"type": "object",
"description": "Criteria for successful response",
"properties": {
"successCriteria": {
"type": "array",
"description": "Specific success measures",
"items": {
"type": "object",
"properties": {
"criterionName": {
"type": "string",
"description": "Name of criterion"
},
"criterionDescription": {
"type": "string",
"description": "Description of criterion"
},
"targetValue": {
"type": "string",
"description": "Value that indicates success"
},
"currentValue": {
"type": "string",
"description": "Current measurement"
},
"status": {
"type": "string",
"description": "Achievement status",
"enum": ["not-started", "in-progress", "achieved", "at-risk", "failed"]
}
}
}
},
"overallSuccess": {
"type": "string",
"description": "Overall success assessment",
"enum": ["successful", "partially-successful", "unsuccessful", "too-early-to-determine", "not-measured"]
}
}
},
"responseResources": {
"type": "object",
"description": "Resources required",
"properties": {
"budget": {
"type": "number",
"description": "Financial resources needed"
},
"personnel": {
"type": "array",
"description": "Human resources needed",
"items": {
"type": "object",
"properties": {
"role": {
"type": "string",
"description": "Required role"
},
"effort": {
"type": "string",
"description": "Level of effort"
},
"availability": {
"type": "string",
"description": "Resource availability",
"enum": ["available", "partially-available", "unavailable", "to-be-acquired"]
}
}
}
},
"technologies": {
"type": "array",
"description": "Technologies needed",
"items": {
"type": "string"
}
},
"externalSupport": {
"type": "array",
"description": "External resources needed",
"items": {
"type": "string"
}
}
}
},
"responseReporting": {
"type": "object",
"description": "How progress is reported",
"properties": {
"reportingFrequency": {
"type": "string",
"description": "How often status is reported",
"enum": ["weekly", "bi-weekly", "monthly", "quarterly", "as-needed"]
},
"reportingMethod": {
"type": "string",
"description": "How reporting occurs"
},
"reportingAudience": {
"type": "array",
"description": "Who receives reports",
"items": {
"type": "string"
}
},
"keyMetrics": {
"type": "array",
"description": "Metrics included in reporting",
"items": {
"type": "string"
}
}
}
},
"responseReview": {
"type": "object",
"description": "Process for reviewing effectiveness",
"properties": {
"reviewMethod": {
"type": "string",
"description": "How review is conducted"
},
"reviewFrequency": {
"type": "string",
"description": "How often reviewed",
"enum": ["monthly", "quarterly", "semi-annually", "annually", "post-implementation", "event-driven"]
},
"lastReviewDate": {
"type": "string",
"format": "date",
"description": "Date of last review"
},
"lastReviewOutcome": {
"type": "string",
"description": "Result of last review"
},
"adjustmentsMade": {
"type": "array",
"description": "Changes based on reviews",
"items": {
"type": "string"
}
}
}
},
"costBenefitAnalysis": {
"type": "object",
"description": "Analysis of response value",
"properties": {
"implementationCost": {
"type": "number",
"description": "Total cost to implement"
},
"recurringCosts": {
"type": "number",
"description": "Ongoing costs"
},
"benefitsDescription": {
"type": "string",
"description": "Description of benefits"
},
"quantifiableBenefits": {
"type": "number",
"description": "Benefits that can be measured financially"
},
"returnOnInvestment": {
"type": "string",
"description": "Expected or realized ROI"
},
"nonFinancialBenefits": {
"type": "array",
"description": "Benefits not quantified financially",
"items": {
"type": "string"
}
}
}
},
"implementationChallenges": {
"type": "array",
"description": "Challenges faced during implementation",
"items": {
"type": "object",
"properties": {
"challengeDescription": {
"type": "string",
"description": "Description of challenge"
},
"severity": {
"type": "string",
"description": "Severity of challenge",
"enum": ["minor", "moderate", "significant", "critical"]
},
"resolutionApproach": {
"type": "string",
"description": "How challenge is being addressed"
},
"status": {
"type": "string",
"description": "Resolution status",
"enum": ["unresolved", "in-progress", "resolved"]
}
}
}
},
"implementedControls": {
"type": "array",
"description": "Controls implemented as part of response",
"items": {
"type": "object",
"properties": {
"controlID": {
"type": "string",
"description": "ID of control"
},
"implementationStatus": {
"type": "string",
"description": "Status of implementation",
"enum": ["planned", "in-progress", "implemented", "effective", "ineffective"]
}
}
}
},
"lessonsLearned": {
"type": "array",
"description": "Insights from response implementation",
"items": {
"type": "object",
"properties": {
"lessonDescription": {
"type": "string",
"description": "Description of lesson"
},
"category": {
"type": "string",
"description": "Category of lesson",
"enum": ["planning", "execution", "resource-management", "stakeholder-management", "technical", "other"]
},
"impact": {
"type": "string",
"description": "How lesson affects future responses"
}
}
}
},
"stakeholderEngagement": {
"type": "array",
"description": "Stakeholder involvement in response",
"items": {
"type": "object",
"properties": {
"stakeholderName": {
"type": "string",
"description": "Name of stakeholder"
},
"role": {
"type": "string",
"description": "Role in response"
},
"engagementLevel": {
"type": "string",
"description": "Level of engagement",
"enum": ["informed", "consulted", "involved", "responsible", "accountable"]
}
}
}
}
}
}
Risk Monitoring Element Schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk Monitoring Schema",
"description": "Schema for Risk Monitoring element in the Risk Management domain",
"type": "object",
"required": ["monitoringID", "monitoringTitle", "description", "orgUnitTitle"],
"properties": {
"monitoringID": {
"type": "string",
"description": "Unique identifier for the risk monitoring activity"
},
"monitoringTitle": {
"type": "string",
"description": "Name of the specific risk monitoring activity"
},
"description": {
"type": "string",
"description": "Detailed explanation of the risk monitoring activity"
},
"orgUnitTitle": {
"type": "string",
"description": "The organization unit responsible for this monitoring"
},
"riskID": {
"type": "string",
"description": "ID of the risk domain this monitoring belongs to"
},
"monitoredRisks": {
"type": "array",
"description": "Risks being monitored",
"items": {
"type": "object",
"properties": {
"riskID": {
"type": "string",
"description": "ID of monitored risk"
},
"monitoringPriority": {
"type": "string",
"description": "Priority for monitoring",
"enum": ["low", "medium", "high", "critical"]
},
"currentRiskLevel": {
"type": "string",
"description": "Current assessed level",
"enum": ["very-low", "low", "moderate", "high", "very-high"]
},
"riskTrend": {
"type": "string",
"description": "Direction of change",
"enum": ["decreasing", "stable", "increasing", "fluctuating", "not-tracked"]
}
}
}
},
"keyRiskIndicators": {
"type": "array",
"description": "Indicators being tracked",
"items": {
"type": "object",
"properties": {
"indicatorID": {
"type": "string",
"description": "Unique ID for indicator"
},
"indicatorName": {
"type": "string",
"description": "Name of indicator"
},
"indicatorDescription": {
"type": "string",
"description": "Description of what indicator measures"
},
"targetRisks": {
"type": "array",
"description": "Risks this indicator monitors",
"items": {
"type": "string"
}
},
"measurementMethod": {
"type": "string",
"description": "How indicator is measured"
},
"thresholds": {
"type": "array",
"description": "Action thresholds",
"items": {
"type": "object",
"properties": {
"thresholdLevel": {
"type": "string",
"description": "Level name",
"enum": ["normal", "caution", "alert", "critical"]
},
"thresholdValue": {
"type": "string",
"description": "Trigger value"
},
"requiredActions": {
"type": "array",
"description": "Actions when threshold crossed",
"items": {
"type": "string"
}
}
}
}
},
"currentValue": {
"type": "string",
"description": "Present measurement"
},
"currentStatus": {
"type": "string",
"description": "Status based on thresholds",
"enum": ["normal", "caution", "alert", "critical", "not-measured"]
},
"trend": {
"type": "string",
"description": "Direction of movement",
"enum": ["improving", "stable", "worsening", "fluctuating", "not-tracked"]
}
}
}
},
"monitoringFrequency": {
"type": "object",
"description": "Frequency of monitoring activities",
"properties": {
"reviewCycle": {
"type": "string",
"description": "How often monitoring occurs",
"enum": ["real-time", "daily", "weekly", "bi-weekly", "monthly", "quarterly", "annually", "event-driven"]
},
"justification": {
"type": "string",
"description": "Explanation for chosen frequency"
},
"lastReviewDate": {
"type": "string",
"format": "date",
"description": "Date of last review"
},
"nextReviewDate": {
"type": "string",
"format": "date",
"description": "Scheduled next review"
}
}
},
"monitoringMethods": {
"type": "array",
"description": "Approaches used for monitoring",
"items": {
"type": "object",
"properties": {
"methodName": {
"type": "string",
"description": "Name of method"
},
"methodDescription": {
"type": "string",
"description": "Description of method"
},
"automationLevel": {
"type": "string",
"description": "Degree of automation",
"enum": ["manual", "partially-automated", "fully-automated"]
},
"toolsUsed": {
"type": "array",
"description": "Tools supporting this method",
"items": {
"type": "string"
}
}
}
}
},
"earlyWarningSystem": {
"type": "object",
"description": "System for early detection of risk changes",
"properties": {
"alertMechanisms": {
"type": "array",
"description": "How alerts are generated",
"items": {
"type": "string"
}
},
"notificationRecipients": {
"type": "array",
"description": "Who receives alerts",
"items": {
"type": "string"
}
},
"escalationPath": {
"type": "string",
"description": "How alerts are escalated"
},
"responseTimeframes": {
"type": "string",
"description": "Expected response times"
}
}
},
"monitoringResponsibilities": {
"type": "array",
"description": "People responsible for monitoring",
"items": {
"type": "object",
"properties": {
"role": {
"type": "string",
"description": "Responsible role"
},
"responsibilities": {
"type": "array",
"description": "Specific duties",
"items": {
"type": "string"
}
},
"backupRole": {
"type": "string",
"description": "Backup responsibility"
}
}
}
},
"reportingStructure": {
"type": "object",
"description": "How monitoring results are reported",
"properties": {
"reportTypes": {
"type": "array",
"description": "Types of reports produced",
"items": {
"type": "object",
"properties": {
"reportName": {
"type": "string",
"description": "Name of report"
},
"reportFrequency": {
"type": "string",
"description": "How often produced"
},
"audience": {
"type": "array",
"description": "Who receives report",
"items": {
"type": "string"
}
},
"contentSummary": {
"type": "string",
"description": "What report contains"
}
}
}
},
"dashboards": {
"type": "array",
"description": "Visual monitoring tools",
"items": {
"type": "object",
"properties": {
"dashboardName": {
"type": "string",
"description": "Name of dashboard"
},
"updateFrequency": {
"type": "string",
"description": "How often updated"
},
"accessRights": {
"type": "array",
"description": "Who can access",
"items": {
"type": "string"
}
}
}
}
},
"escalationCriteria": {
"type": "string",
"description": "When issues are escalated"
}
}
},
"continuousImprovement": {
"type": "object",
"description": "How monitoring is improved over time",
"properties": {
"reviewProcess": {
"type": "string",
"description": "Process for reviewing monitoring"
},
"improvementHistory": {
"type": "array",
"description": "History of improvements made",
"items": {
"type": "object",
"properties": {
"improvementDate": {
"type": "string",
"format": "date",
"description": "When improvement was made"
},
"improvementDescription": {
"type": "string",
"description": "Description of improvement"
},
"improvementOutcome": {
"type": "string",
"description": "Result of improvement"
}
}
}
},
"currentInitiatives": {
"type": "array",
"description": "Current improvement initiatives",
"items": {
"type": "string"
}
}
}
},
"technologySystems": {
"type": "array",
"description": "Systems supporting monitoring",
"items": {
"type": "object",
"properties": {
"systemName": {
"type": "string",
"description": "Name of system"
},
"systemFunction": {
"type": "string",
"description": "Function in monitoring"
},
"dataIntegrations": {
"type": "array",
"description": "Data sources integrated",
"items": {
"type": "string"
}
}
}
}
},
"complianceRequirements": {
"type": "array",
"description": "Regulatory requirements for monitoring",
"items": {
"type": "object",
"properties": {
"requirementSource": {
"type": "string",
"description": "Source of requirement"
},
"requirementDescription": {
"type": "string",
"description": "Description of requirement"
},
"complianceStatus": {
"type": "string",
"description": "Status of compliance",
"enum": ["compliant", "non-compliant", "partially-compliant", "not-applicable", "under-review"]
}
}
}
},
"dataManagement": {
"type": "object",
"description": "How monitoring data is managed",
"properties": {
"dataSources": {
"type": "array",
"description": "Sources of monitoring data",
"items": {
"type": "string"
}
},
"dataQualityControls": {
"type": "array",
"description": "Controls for data quality",
"items": {
"type": "string"
}
},
"dataRetention": {
"type": "string",
"description": "How long data is kept"
},
"accessControls": {
"type": "array",
"description": "Controls on data access",
"items": {
"type": "string"
}
}
}
},
"historicalPerformance": {
"type": "object",
"description": "History of monitoring effectiveness",
"properties": {
"successRate": {
"type": "string",
"description": "Rate of successful risk detection"
},
"falsePositives": {
"type": "string",
"description": "Rate of false alarms"
},
"missedRisks": {
"type": "string",
"description": "Rate of undetected risks"
},
"responseEffectiveness": {
"type": "string",
"description": "Effectiveness of responses to alerts"
}
}
}
}
}
Cross-Domain Relationship Mappings
Risk-Strategy Relationship Schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Strategy Relationship Schema",
"description": "Schema for relationships between Risk Management domain and Strategy domain",
"type": "object",
"required": ["relationshipID", "riskID", "title", "relationshipType"],
"properties": {
"relationshipID": {
"type": "string",
"description": "Unique identifier for this relationship"
},
"riskID": {
"type": "string",
"description": "ID of the risk element"
},
"title": {
"type": "string",
"description": "Name of the strategy"
},
"relationshipType": {
"type": "string",
"description": "Nature of the risk influence on strategy",
"enum": ["strategic-threat", "strategic-opportunity", "execution-risk", "enabler", "constraint", "context-factor", "success-factor", "other"]
},
"relationshipStrength": {
"type": "integer",
"description": "Strength of influence (1-5)",
"minimum": 1,
"maximum": 5
},
"riskFactors": {
"type": "array",
"description": "Risk factors influencing this strategy",
"items": {
"type": "string"
}
},
"strategicImpact": {
"type": "object",
"description": "How risk impacts strategic elements",
"properties": {
"impactDescription": {
"type": "string",
"description": "Description of impact"
},
"impactSeverity": {
"type": "string",
"description": "Severity of impact",
"enum": ["minimal", "moderate", "significant", "severe", "critical"]
},
"potentialOutcomes": {
"type": "array",
"description": "Possible strategic outcomes",
"items": {
"type": "string"
}
}
}
},
"strategicObjectives": {
"type": "array",
"description": "Strategic objectives affected by risk",
"items": {
"type": "object",
"properties": {
"objectiveID": {
"type": "string",
"description": "ID of strategic objective"
},
"riskImpact": {
"type": "string",
"description": "How risk impacts this objective"
},
"importanceLevel": {
"type": "string",
"description": "Importance to objective",
"enum": ["minor", "moderate", "significant", "critical"]
}
}
}
},
"riskAdjustments": {
"type": "array",
"description": "Strategic adjustments made for risk",
"items": {
"type": "object",
"properties": {
"adjustmentDescription": {
"type": "string",
"description": "Description of adjustment"
},
"adjustmentType": {
"type": "string",
"description": "Type of adjustment",
"enum": ["scope-change", "timeline-adjustment", "resource-increase", "goal-modification", "approach-change", "other"]
},
"effectiveness": {
"type": "string",
"description": "Effectiveness of adjustment",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
}
}
}
},
"riskAppetite": {
"type": "object",
"description": "Strategic risk appetite",
"properties": {
"appetiteLevel": {
"type": "string",
"description": "Level of risk appetite",
"enum": ["averse", "minimalist", "cautious", "open", "seeking"]
},
"appetiteJustification": {
"type": "string",
"description": "Reason for this appetite level"
},
"variationByObjective": {
"type": "array",
"description": "How appetite varies by objective",
"items": {
"type": "object",
"properties": {
"objectiveID": {
"type": "string",
"description": "ID of objective"
},
"specificAppetite": {
"type": "string",
"description": "Specific appetite for this objective",
"enum": ["averse", "minimalist", "cautious", "open", "seeking"]
}
}
}
}
}
},
"strategicMonitoring": {
"type": "object",
"description": "How risk is monitored in strategy",
"properties": {
"monitoringApproach": {
"type": "string",
"description": "How risk is tracked strategically"
},
"keyIndicators": {
"type": "array",
"description": "Strategic indicators being tracked",
"items": {
"type": "string"
}
},
"reviewFrequency": {
"type": "string",
"description": "How often strategic risk is reviewed",
"enum": ["monthly", "quarterly", "semi-annually", "annually", "event-driven"]
}
}
},
"contingencyPlans": {
"type": "array",
"description": "Strategic contingencies for risk events",
"items": {
"type": "object",
"properties": {
"scenarioDescription": {
"type": "string",
"description": "Risk scenario"
},
"contingencyApproach": {
"type": "string",
"description": "Planned response"
},
"triggerConditions": {
"type": "string",
"description": "What activates contingency"
}
}
}
}
}
}
Risk-Capability Relationship Schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Capability Relationship Schema",
"description": "Schema for relationships between Risk Management domain and Capability domain",
"type": "object",
"required": ["relationshipID", "riskID", "title", "relationshipType"],
"properties": {
"relationshipID": {
"type": "string",
"description": "Unique identifier for this relationship"
},
"riskID": {
"type": "string",
"description": "ID of the risk element"
},
"title": {
"type": "string",
"description": "Name of the capability"
},
"relationshipType": {
"type": "string",
"description": "Nature of the relationship",
"enum": ["risk-to-capability", "capability-to-risk", "mitigating-capability", "risk-generating-capability", "impacted-capability", "interdependent", "other"]
},
"relationshipStrength": {
"type": "integer",
"description": "Importance of this relationship (1-5)",
"minimum": 1,
"maximum": 5
},
"riskImpact": {
"type": "object",
"description": "How risk impacts capability",
"properties": {
"impactDescription": {
"type": "string",
"description": "Description of impact"
},
"impactSeverity": {
"type": "string",
"description": "Severity of impact",
"enum": ["minimal", "moderate", "significant", "severe", "critical"]
},
"impactScenarios": {
"type": "array",
"description": "Specific impact scenarios",
"items": {
"type": "string"
}
}
}
},
"capabilityControls": {
"type": "array",
"description": "Controls within capability addressing risk",
"items": {
"type": "object",
"properties": {
"controlDescription": {
"type": "string",
"description": "Description of control"
},
"controlEffectiveness": {
"type": "string",
"description": "How well control works",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
},
"implementationStatus": {
"type": "string",
"description": "Status of implementation",
"enum": ["not-implemented", "planning", "in-progress", "implemented", "verified"]
}
}
}
},
"capabilityGaps": {
"type": "array",
"description": "Capability gaps increasing risk",
"items": {
"type": "object",
"properties": {
"gapDescription": {
"type": "string",
"description": "Description of gap"
},
"riskContribution": {
"type": "string",
"description": "How gap contributes to risk"
},
"remediation": {
"type": "string",
"description": "Plan to address gap"
}
}
}
},
"performanceMetrics": {
"type": "array",
"description": "Metrics for measuring risk impact on capability",
"items": {
"type": "object",
"properties": {
"metricName": {
"type": "string",
"description": "Name of metric"
},
"metricDescription": {
"type": "string",
"description": "What metric measures"
},
"currentValue": {
"type": "string",
"description": "Current measurement"
},
"targetValue": {
"type": "string",
"description": "Target value"
}
}
}
},
"improvementInitiatives": {
"type": "array",
"description": "Initiatives to improve capability for risk management",
"items": {
"type": "object",
"properties": {
"initiativeDescription": {
"type": "string",
"description": "Description of initiative"
},
"expectedOutcome": {
"type": "string",
"description": "Anticipated result"
},
"status": {
"type": "string",
"description": "Current status",
"enum": ["proposed", "approved", "in-progress", "completed", "canceled"]
}
}
}
},
"dependencyRisks": {
"type": "array",
"description": "Risks arising from capability dependencies",
"items": {
"type": "object",
"properties": {
"dependencyType": {
"type": "string",
"description": "Type of dependency"
},
"dependentEntity": {
"type": "string",
"description": "What capability depends on"
},
"riskScenario": {
"type": "string",
"description": "Risk scenario created by dependency"
}
}
}
}
}
}
Strategic Response Model Integration
Risk-Related Triggers Schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Related Triggers Schema",
"description": "Schema for risk-related triggers in the Strategic Response Model",
"type": "object",
"required": ["triggerID", "label", "description", "primaryCategory"],
"properties": {
"triggerID": {
"type": "string",
"description": "Unique identifier for the trigger"
},
"label": {
"type": "string",
"description": "Short, human-readable name of the trigger"
},
"description": {
"type": "string",
"description": "Expanded explanation of the trigger's relevance"
},
"primaryCategory": {
"type": "string",
"description": "Primary classification of trigger context",
"enum": ["Risk_Event", "Control_Failure", "Risk_Level_Change", "New_Risk_Identified", "Regulatory_Change", "Risk_Appetite_Change", "Risk_Concentration", "External_Threat", "Vulnerability_Detected"]
},
"subCategory": {
"type": "string",
"description": "More specific classification within the primary category"
},
"riskID": {
"type": "string",
"description": "ID of the affected risk, if applicable"
},
"controlID": {
"type": "string",
"description": "ID of the related control, if applicable"
},
"origin": {
"type": "string",
"description": "Whether the trigger originates from inside or outside the organisation",
"enum": ["Internal", "External", "Hybrid", "Risk_Assessment", "Audit_Finding", "Control_Monitoring"]
},
"timeHorizon": {
"type": "string",
"description": "The temporal nature of the trigger",
"enum": ["Immediate", "Short_Term", "Medium_Term", "Long_Term", "Emerging_Risk"]
},
"impactLevel": {
"type": "string",
"description": "The potential significance of the trigger",
"enum": ["Low", "Medium", "High", "Critical"]
},
"detectionMethod": {
"type": "string",
"description": "How this trigger was detected",
"enum": ["Risk_Assessment", "Control_Monitoring", "Incident", "Audit", "External_Intelligence", "Stakeholder_Feedback", "Regulatory_Announcement"]
},
"evidenceStrength": {
"type": "integer",
"description": "Strength of evidence for this trigger (1-5)",
"minimum": 1,
"maximum": 5
},
"riskImpact": {
"type": "object",
"description": "Impact on risk profile",
"properties": {
"impactDescription": {
"type": "string",
"description": "Description of risk impact"
},
"affectedRiskCategories": {
"type": "array",
"description": "Categories of risk affected",
"items": {
"type": "string"
}
},
"potentialLoss": {
"type": "string",
"description": "Potential financial impact if unaddressed"
}
}
},
"detectionDate": {
"type": "string",
"format": "date",
"description": "Date when the trigger was identified"
},
"validUntil": {
"type": "string",
"format": "date",
"description": "Expected end of relevance for this trigger"
},
"sourceReference": {
"type": "string",
"description": "Reference to source document or authority identifying the trigger"
},
"relatedTriggers": {
"type": "array",
"description": "References to other related triggers",
"items": {
"type": "string"
}
},
"strategicResponseReferences": {
"type": "array",
"description": "References to related Strategic Response artefacts",
"items": {
"type": "string"
}
}
}
}
Risk-Related Rationales Schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Related Rationales Schema",
"description": "Schema for risk-related rationales in the Strategic Response Model",
"type": "object",
"required": ["rationaleID", "rationaleTitle", "description", "triggerReference"],
"properties": {
"rationaleID": {
"type": "string",
"description": "Unique identifier for the rationale"
},
"rationaleTitle": {
"type": "string",
"description": "Title or summary of the rationale"
},
"description": {
"type": "string",
"description": "Detailed explanation supporting a strategic response"
},
"triggerReference": {
"type": "string",
"description": "Primary trigger this rationale responds to"
},
"triggerReferences": {
"type": "array",
"description": "Optional multiple triggers this rationale addresses",
"items": {
"type": "string"
}
},
"riskIDs": {
"type": "array",
"description": "Risks this rationale relates to",
"items": {
"type": "string"
}
},
"linkedDomains": {
"type": "array",
"description": "Business architecture domains influenced or justified by this rationale",
"items": {
"type": "string",
"enum": ["Risk", "Strategy", "Capability", "Product", "Service", "Value_Stream", "Performance", "Information", "Organization", "Initiative", "Customer", "Market", "Finance"]
}
},
"rationaleType": {
"type": "string",
"description": "The justification type for this rationale",
"enum": ["Risk_Prevention", "Risk_Mitigation", "Risk_Transfer", "Risk_Acceptance", "Control_Enhancement", "Response_Planning", "Opportunity_Exploitation", "Compliance_Management"]
},
"rationaleOrientation": {
"type": "string",
"description": "Whether the rationale is responding to existing conditions or anticipating future conditions",
"enum": ["Reactive", "Proactive"]
},
"riskInsightSource": {
"type": "string",
"description": "Source of risk insights supporting this rationale",
"enum": ["Risk_Assessment", "Incident_Analysis", "Control_Monitoring", "Audit_Finding", "Industry_Intelligence", "Scenario_Analysis", "Expert_Judgment"]
},
"anticipatedOutcomes": {
"type": "array",
"description": "For proactive rationales, the expected benefits or outcomes",
"items": {
"type": "string"
}
},
"alternativesConsidered": {
"type": "array",
"description": "Other risk approaches that were evaluated but not selected",
"items": {
"type": "object",
"properties": {
"alternativeID": {
"type": "string",
"description": "Identifier for the alternative"
},
"alternativeDescription": {
"type": "string",
"description": "Description of the alternative approach"
},
"riskImplications": {
"type": "string",
"description": "Risk implications of this alternative"
},
"reasonForRejection": {
"type": "string",
"description": "Why this approach wasn't selected"
}
}
}
},
"reasoningPattern": {
"type": "string",
"description": "The logical structure of the rationale",
"enum": ["Risk_Based", "Control_Effectiveness", "Cost_Benefit", "Compliance_Based", "Threat_Assessment", "Vulnerability_Based", "Impact_Analysis"]
},
"evidenceBase": {
"type": "string",
"description": "The foundation for the rationale",
"enum": ["Risk_Data", "Control_Testing", "Incident_History", "External_Intelligence", "Compliance_Requirements", "Expert_Opinion", "Quantitative_Analysis"]
},
"businessValueType": {
"type": "string",
"description": "The nature of value creation or preservation",
"enum": ["Loss_Prevention", "Damage_Limitation", "Reputation_Protection", "Compliance_Assurance", "Operational_Resilience", "Strategic_Protection", "Opportunity_Enabling"]
},
"riskImpactAssessment": {
"type": "object",
"description": "Assessment of risk implications",
"properties": {
"impactType": {
"type": "string",
"description": "Type of risk impact",
"enum": ["financial", "operational", "strategic", "reputational", "compliance", "multiple"]
},
"impactSeverity": {
"type": "string",
"description": "Severity of impact if not addressed",
"enum": ["minimal", "moderate", "significant", "severe", "critical"]
},
"impactLikelihood": {
"type": "string",
"description": "Likelihood of impact if not addressed",
"enum": ["very-low", "low", "moderate", "high", "very-high"]
},
"confidenceLevel": {
"type": "integer",
"description": "Confidence in assessment (1-5)",
"minimum": 1,
"maximum": 5
}
}
},
"dateCreated": {
"type": "string",
"format": "date",
"description": "The date the rationale was first recorded"
},
"lastReviewed": {
"type": "string",
"format": "date",
"description": "The most recent date of rationale review"
},
"effectivenessRating": {
"type": "integer",
"description": "Optional evaluation of rationale effectiveness (1-5)",
"minimum": 1,
"maximum": 5
},
"author": {
"type": "string",
"description": "The person or team who documented the rationale"
},
"orgUnitTitle": {
"type": "string",
"description": "The organisational unit that owns or authored the rationale"
},
"relatedRationales": {
"type": "array",
"description": "References to other related rationales",
"items": {
"type": "string"
}
}
}
}
Risk-Related Strategic Responses Schema
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Related Strategic Responses Schema",
"description": "Schema for risk-related strategic responses in the Strategic Response Model",
"type": "object",
"required": ["responseID", "responseTitle", "responseDescription", "triggerReferences", "rationaleReferences"],
"properties": {
"responseID": {
"type": "string",
"description": "A unique identifier for the strategic response"
},
"responseTitle": {
"type": "string",
"description": "A concise title summarizing the strategic response"
},
"responseType": {
"type": "string",
"description": "The classification of the response",
"enum": ["Risk_Prevention", "Risk_Mitigation", "Risk_Transfer", "Risk_Acceptance", "Control_Enhancement", "Incident_Response", "Business_Continuity", "Compliance_Program", "Risk_Governance"]
},
"responseDescription": {
"type": "string",
"description": "A detailed explanation of the strategic response, its objectives, and scope"
},
"riskIDs": {
"type": "array",
"description": "Risk elements this response addresses",
"items": {
"type": "string"
}
},
"triggerReferences": {
"type": "array",
"description": "An array of triggerIDs that initiated this strategic response",
"items": {
"type": "string"
}
},
"rationaleReferences": {
"type": "array",
"description": "An array of rationaleIDs providing justification for this response",
"items": {
"type": "string"
}
},
"performanceIndicatorReferences": {
"type": "array",
"description": "Metrics or KPIs that will be used to measure the success of the strategic response",
"items": {
"type": "string"
}
},
"riskOutcomes": {
"type": "array",
"description": "Specific risk management outcomes resulting from this response",
"items": {
"type": "object",
"properties": {
"outcomeDescription": {
"type": "string",
"description": "Description of risk outcome"
},
"targetRiskLevel": {
"type": "string",
"description": "Desired risk level after response",
"enum": ["very-low", "low", "moderate", "high", "very-high"]
},
"measurementApproach": {
"type": "string",
"description": "How outcome will be measured"
}
}
}
},
"implementedControls": {
"type": "array",
"description": "Risk controls implemented by this response",
"items": {
"type": "object",
"properties": {
"controlName": {
"type": "string",
"description": "Name of control"
},
"controlDescription": {
"type": "string",
"description": "Description of control"
},
"controlType": {
"type": "string",
"description": "Type of control",
"enum": ["preventive", "detective", "corrective", "directive", "other"]
},
"implementationStatus": {
"type": "string",
"description": "Status of implementation",
"enum": ["planned", "in-progress", "implemented", "effective", "ineffective"]
}
}
}
},
"affectedDomains": {
"type": "array",
"description": "A list of business architecture domains impacted by this response",
"items": {
"type": "string",
"enum": ["Risk", "Strategy", "Capability", "Product", "Service", "Value_Stream", "Performance", "Information", "Organization", "Initiative", "Customer", "Market", "Finance"]
}
},
"implementationPlan": {
"type": "object",
"description": "Plan outlining how the response will be executed",
"properties": {
"phaseApproach": {
"type": "string",
"description": "Phasing of implementation"
},
"keyActivities": {
"type": "array",
"description": "Major implementation activities",
"items": {
"type": "string"
}
},
"resources": {
"type": "string",
"description": "Resources required for implementation"
},
"governanceStructure": {
"type": "string",
"description": "Governance over implementation"
}
}
},
"riskMonitoring": {
"type": "array",
"description": "Ongoing risk monitoring approaches",
"items": {
"type": "object",
"properties": {
"monitoringMethod": {
"type": "string",
"description": "Method for monitoring"
},
"keyIndicators": {
"type": "array",
"description": "Indicators being monitored",
"items": {
"type": "string"
}
},
"frequency": {
"type": "string",
"description": "How often monitoring occurs",
"enum": ["continuous", "daily", "weekly", "monthly", "quarterly", "annually", "event-driven"]
}
}
}
},
"expectedOutcomes": {
"type": "string",
"description": "A description of the anticipated results or benefits from implementing the response"
},
"responsibleOrgUnits": {
"type": "array",
"description": "Organisation units accountable for executing the strategic response",
"items": {
"type": "string"
}
},
"startDate": {
"type": "string",
"format": "date",
"description": "The planned start date for implementing the strategic response"
},
"endDate": {
"type": "string",
"format": "date",
"description": "The planned completion date for the strategic response"
},
"status": {
"type": "string",
"description": "The current status of the strategic response",
"enum": ["Planned", "In_Progress", "Completed", "Deferred", "Cancelled"]
},
"lastUpdated": {
"type": "string",
"format": "date",
"description": "The date when the strategic response record was last updated"
},
"residualRiskAssessment": {
"type": "string",
"description": "Assessment of risk remaining after response implementation"
},
"strategicThemes": {
"type": "array",
"description": "An array of strategic priorities that this initiative supports",
"items": {
"type": "string"
}
}
}
}
Example Implementation
Example: Cybersecurity Risk Profile Analysis
{
"riskID": "RISK-CYBER-001",
"title": "Critical Data Breach Risk",
"description": "The risk of unauthorized access to or exfiltration of sensitive customer and financial data through external cyberattack or internal compromise, resulting in regulatory sanctions, financial loss, and reputational damage.",
"riskCategory": "technology",
"orgUnitTitle": "Information Security Department",
"orgUnitRoles": ["Chief Information Security Officer", "Security Operations Manager", "Data Protection Officer"],
"riskSource": "external",
"riskOwner": "Chief Information Security Officer",
"riskProbability": {
"level": "moderate",
"numericValue": 0.35,
"rationale": "Based on threat intelligence showing increased targeting of our industry, balanced against our enhanced security controls",
"timeHorizon": "12 months"
},
"riskImpact": {
"level": "severe",
"financialImpact": "$5-15 million",
"nonFinancialImpacts": [
{
"impactType": "reputational",
"description": "Severe damage to brand trust and customer confidence",
"severity": "high"
},
{
"impactType": "regulatory",
"description": "Substantial fines under data protection regulations",
"severity": "high"
},
{
"impactType": "operational",
"description": "Service disruption during incident response",
"severity": "medium"
}
],
"rationale": "Based on analysis of recent industry breaches and our specific data exposure"
},
"riskSeverity": {
"level": "high",
"score": 16,
"calculationMethod": "5x5 risk matrix combining probability and impact values"
},
"riskTolerance": {
"toleranceLevel": "low",
"thresholds": [
{
"metricName": "Security incidents involving PII",
"thresholdValue": "0",
"responseRequired": "Immediate executive notification and investigation"
},
{
"metricName": "Failed security tests",
"thresholdValue": ">5%",
"responseRequired": "Security remediation within 48 hours"
}
],
"rationale": "Given regulatory requirements and potential reputational impact"
},
"riskStatus": "mitigated",
"mitigationStrategy": {
"approachType": "reduce",
"description": "Comprehensive cybersecurity program including advanced threat protection, security monitoring, encryption, access controls, and security awareness training",
"expectedOutcome": "Reduce likelihood of successful breach while maintaining detection capabilities",
"implementationStatus": "implemented"
},
"residualRisk": {
"level": "moderate",
"acceptableLevel": true,
"description": "Remaining risk primarily related to zero-day vulnerabilities and sophisticated threat actors",
"additionalControls": [
"Investigating additional advanced endpoint protection",
"Enhancing threat hunting capabilities"
]
},
"controlEffectiveness": {
"level": "effective",
"lastAssessment": "2025-03-15",
"improvementNeeds": [
"Strengthen third-party security assessment process",
"Enhance cloud security monitoring"
]
},
"reviewFrequency": "quarterly",
"lastReviewDate": "2025-04-01",
"nextReviewDate": "2025-07-01",
"regulatoryImplications": [
{
"regulationType": "Data Protection",
"regulationName": "GDPR",
"implications": "Breach notification requirements and potential fines up to 4% of global revenue",
"complianceStatus": "compliant"
},
{
"regulationType": "Financial",
"regulationName": "PCI-DSS",
"implications": "Requirements for securing payment card data",
"complianceStatus": "compliant"
}
],
"strategicImplications": {
"overallImpact": "mixed",
"affectedObjectives": [
{
"objectiveID": "STRAT-DIGITAL-003",
"impactDescription": "Risk considerations require adjustment to cloud migration timeline",
"impactSeverity": "moderate"
},
{
"objectiveID": "STRAT-CUSTOMER-002",
"impactDescription": "Enhanced security measures could create friction in customer experience",
"impactSeverity": "minor"
}
]
},
"emergingFactors": [
{
"factorName": "AI-Enhanced Cyber Threats",
"description": "Increasing sophistication of attacks using AI to evade detection",
"potentialImpact": "Could increase probability of successful breach",
"timeHorizon": "medium-term",
"monitoringApproach": "Threat intelligence subscription and quarterly assessment"
},
{
"factorName": "Extended Supply Chain Exposure",
"description": "Increasing integration with third-party systems expanding attack surface",
"potentialImpact": "New vectors for data compromise",
"timeHorizon": "immediate",
"monitoringApproach": "Third-party security assessment program"
}
],
"relatedRisks": [
{
"riskID": "RISK-TECH-005",
"relationshipType": "contributor",
"relationshipStrength": 4,
"description": "Legacy System Maintenance Risk contributes to cybersecurity vulnerabilities"
},
{
"riskID": "RISK-COMP-002",
"relationshipType": "consequence",
"relationshipStrength": 5,
"description": "Data breach would trigger Regulatory Compliance Risk"
}
],
"keyRiskIndicators": [
{
"indicatorName": "Security Incidents",
"description": "Number of security incidents detected per month",
"currentValue": "12",
"threshold": "25",
"trend": "stable",
"monitoringFrequency": "daily"
},
{
"indicatorName": "Vulnerability Remediation Time",
"description": "Average time to remediate critical vulnerabilities",
"currentValue": "1.8 days",
"threshold": "3 days",
"trend": "improving",
"monitoringFrequency": "weekly"
},
{
"indicatorName": "Phishing Simulation Success Rate",
"description": "Percentage of employees clicking on simulated phishing emails",
"currentValue": "4.2%",
"threshold": "5%",
"trend": "stable",
"monitoringFrequency": "monthly"
}
],
"dependencies": [
{
"dependencyType": "Critical",
"domainType": "Capability",
"entityID": "CAP-SECOPS-001",
"description": "Security Operations capability"
},
{
"dependencyType": "Important",
"domainType": "Information",
"entityID": "INFO-DATA-003",
"description": "Customer Data Security Classification Framework"
}
],
"documentationReferences": [
{
"documentName": "Information Security Policy",
"documentLocation": "Policy repository (IS-POL-001)",
"documentType": "policy",
"documentDate": "2024-12-15"
},
{
"documentName": "Annual Cybersecurity Risk Assessment",
"documentLocation": "Risk repository (RISK-RPT-2025-01)",
"documentType": "assessment",
"documentDate": "2025-02-28"
}
]
}
Risk Management Domain Schema Properties
Risk Management Domain Attributes
Property | Description | Example |
|---|---|---|
riskID | Unique identifier for the risk element | "RISK-CYBER-001" |
title | The name or title of the risk | "Critical Data Breach Risk" |
description | A detailed explanation of the risk | "The risk of unauthorized access to or exfiltration of sensitive customer data..." |
riskCategory | Classification of risk type | "technology" |
orgUnitTitle | Organization unit responsible for managing risk | "Information Security Department" |
orgUnitRoles | Specific roles managing this risk | ["Chief Information Security Officer", "Security Operations Manager"] |
riskSource | Origin of the risk | "external" |
riskOwner | Individual or role responsible for risk management | "Chief Information Security Officer" |
riskProbability | Likelihood of risk occurrence | {"level": "moderate", "numericValue": 0.35} |
riskImpact | Potential effect if risk is realized | {"level": "severe", "financialImpact": "$5-15 million"} |
riskSeverity | Combined measure of probability and impact | {"level": "high", "score": 16} |
riskTolerance | Acceptable level of this risk | {"toleranceLevel": "low", "thresholds": [{...}]} |
riskStatus | Current status in management lifecycle | "mitigated" |
mitigationStrategy | Approach to risk reduction | {"approachType": "reduce", "description": "Comprehensive cybersecurity program..."} |
residualRisk | Risk remaining after controls | {"level": "moderate", "acceptableLevel": true} |
controlEffectiveness | Effectiveness of current controls | {"level": "effective", "lastAssessment": "2025-03-15"} |
reviewFrequency | How often risk is reassessed | "quarterly" |
regulatoryImplications | Compliance aspects of this risk | [{"regulationType": "Data Protection", "regulationName": "GDPR"}] |
strategicImplications | Impact on strategic objectives | {"overallImpact": "mixed", "affectedObjectives": [{...}]} |
emergingFactors | Developing influences on this risk | [{"factorName": "AI-Enhanced Cyber Threats", "timeHorizon": "medium-term"}] |
relatedRisks | Relationships to other risks | [{"riskID": "RISK-TECH-005", "relationshipType": "contributor"}] |
keyRiskIndicators | Metrics used to monitor this risk | [{"indicatorName": "Security Incidents", "currentValue": "12"}] |
Risk Assessment Element Schema
Property | Description | Example |
|---|---|---|
assessmentID | Unique identifier for the risk assessment | "ASSESS-CYBER-2025-Q1" |
assessmentTitle | Name of the specific risk assessment | "Annual Cybersecurity Risk Assessment" |
description | Detailed explanation of the risk assessment | "Comprehensive assessment of cybersecurity risks including threats, vulnerabilities..." |
orgUnitTitle | Organization unit conducting assessment | "Information Security Department" |
assessmentMethod | Methodology used for assessment | "quantitative" |
assessmentScope | Boundaries of the assessment | {"inScope": ["Enterprise applications", "Customer data systems"]} |
assessmentContext | Business context for the assessment | "Supporting digital transformation initiative while ensuring data protection" |
assessmentDate | When assessment was conducted | {"startDate": "2025-01-15", "completionDate": "2025-02-28"} |
assessmentParticipants | People involved in assessment | [{"participantName": "Sarah Johnson", "participantRole": "CISO"}] |
riskCriteria | Criteria for evaluating risks | {"probabilityCriteria": [{...}], "impactCriteria": [{...}]} |
identifiedRisks | Risks discovered during assessment | [{"riskID": "RISK-CYBER-001", "riskTitle": "Critical Data Breach Risk"}] |
riskRankings | Prioritization of risks | [{"riskID": "RISK-CYBER-001", "priority": "high"}] |
assessmentFindings | Key outcomes and insights | [{"findingTitle": "Inadequate API security controls", "findingSeverity": "high"}] |
assessmentRecommendations | Suggested actions | [{"recommendationTitle": "Implement API gateway", "recommendationPriority": "high"}] |
assessmentOwner | Responsible party for assessment | "Chief Information Security Officer" |
nextAssessment | Timing for follow-up | {"plannedDate": "2026-01-15", "triggerEvents": ["Major system change"]} |
Risk Control Element Schema
Property | Description | Example |
|---|---|---|
controlID | Unique identifier for the risk control | "CTRL-CYBER-008" |
controlTitle | Name of the specific risk control | "Multi-factor Authentication" |
description | Detailed explanation of the risk control | "Requiring two or more verification factors before granting system access" |
orgUnitTitle | Organization unit responsible for this control | "IT Security Operations" |
controlType | Type of control measure | "preventive" |
controlCategory | Functional category of control | "technical" |
controlMethod | How control operates | "automated" |
controlObjective | What the control aims to achieve | "Prevent unauthorized access to systems and data through credential compromise" |
implementationStatus | Current implementation state | "operational" |
controlEffectiveness | How well control works | {"designEffectiveness": "effective", "operationalEffectiveness": "effective"} |
controlOwner | Responsible party for implementation | "Identity & Access Management Manager" |
controlCost | Cost of implementation and maintenance | {"implementationCost": 250000, "recurringCost": 80000, "costPeriod": "annually"} |
controlDocumentation | Reference documentation | [{"documentName": "MFA Standard", "documentType": "standard"}] |
controlTesting | How and when control is tested | {"testingMethod": "automated-monitoring", "testingFrequency": "monthly"} |
controlledRisks | Risks addressed by this control | [{"riskID": "RISK-CYBER-001", "controlWeight": 5}] |
relatedControls | Other linked control measures | [{"controlID": "CTRL-CYBER-012", "relationshipType": "complementary"}] |
controlStandards | Standards applied to this control | [{"standardName": "NIST 800-53", "standardReference": "IA-2(1)"}] |
exceptionsProcess | Process for handling control exceptions | "Requires CISO approval with business justification and compensating controls" |
Risk Response Element Schema
Property | Description | Example |
|---|---|---|
responseID | Unique identifier for the risk response | "RESP-CYBER-003" |
responseTitle | Name of the specific risk response | "Enhanced Data Protection Program" |
description | Detailed explanation of the risk response | "Comprehensive program to strengthen data security controls and practices" |
orgUnitTitle | Organization unit responsible for this response | "Information Security Department" |
responseStrategy | Approach to handling risk | "reduce" |
responseDescription | Detailed explanation of response approach | "Implementing technical controls, process improvements, and awareness training" |
targetedRisks | Risks being addressed | [{"riskID": "RISK-CYBER-001", "targetRiskLevel": "low"}] |
responseOwner | Responsible party | "Chief Information Security Officer" |
responsePriority | Priority level | "high" |
responseStatus | Current implementation status | "in-progress" |
responseTimeline | Implementation schedule | {"startDate": "2025-01-01", "targetEndDate": "2025-06-30"} |
responseSuccess | Criteria for successful response | {"successCriteria": [{"criterionName": "Security control implementation"}]} |
responseResources | Resources required | {"budget": 750000, "personnel": [{"role": "Security Engineer"}]} |
responseReporting | How progress is reported | {"reportingFrequency": "monthly", "reportingMethod": "Executive dashboard"} |
responseReview | Process for reviewing effectiveness | {"reviewMethod": "Independent assessment", "reviewFrequency": "quarterly"} |
costBenefitAnalysis | Analysis of response value | {"implementationCost": 750000, "recurringCosts": 250000, "returnOnInvestment": "325%"} |
implementedControls | Controls implemented as part of response | [{"controlID": "CTRL-CYBER-008", "implementationStatus": "implemented"}] |
lessonsLearned | Insights from response implementation | [{"lessonDescription": "Early stakeholder engagement critical to success"}] |
Risk Monitoring Element Schema
Property | Description | Example |
|---|---|---|
monitoringID | Unique identifier for the risk monitoring activity | "MON-CYBER-002" |
monitoringTitle | Name of the specific risk monitoring activity | "Cybersecurity Risk Monitoring Program" |
description | Detailed explanation of the risk monitoring activity | "Continuous monitoring of key risk indicators and control effectiveness" |
orgUnitTitle | Organization unit responsible for this monitoring | "Security Operations Center" |
monitoredRisks | Risks being monitored | [{"riskID": "RISK-CYBER-001", "monitoringPriority": "high"}] |
keyRiskIndicators | Indicators being tracked | [{"indicatorName": "Security Incidents", "currentValue": "12"}] |
monitoringFrequency | Frequency of monitoring activities | {"reviewCycle": "continuous", "justification": "Critical risk requiring real-time visibility"} |
monitoringMethods | Approaches used for monitoring | [{"methodName": "SIEM Analytics", "automationLevel": "fully-automated"}] |
earlyWarningSystem | System for early detection of risk changes | {"alertMechanisms": ["Automated alerts", "Dashboard indicators"]} |
monitoringResponsibilities | People responsible for monitoring | [{"role": "SOC Analyst", "responsibilities": ["Monitor alerts", "Initial triage"]}] |
reportingStructure | How monitoring results are reported | {"reportTypes": [{"reportName": "Weekly Security Status", "reportFrequency": "weekly"}]} |
technologySystems | Systems supporting monitoring | [{"systemName": "Security Information & Event Management", "systemFunction": "Log analysis"}] |
dataManagement | How monitoring data is managed | {"dataSources": ["Firewall logs", "IDS alerts", "Authentication logs"]} |
historicalPerformance | History of monitoring effectiveness | {"successRate": "93% of incidents detected by monitoring systems"} |