The Risk Management domain represents the structured approach to identifying, assessing, mitigating, monitoring, and responding to risks across the organization. This domain provides a comprehensive framework for modeling risk profiles, assessment methodologies, control mechanisms, and response strategies, enabling risk-centric analysis that drives strategic planning, operational resilience, and compliance management.
The domain extends the Orthogramic Metamodel by providing deeper insights into risk factors, control effectiveness, and mitigation approaches, enabling organizations to align their capabilities, value streams, and strategies with risk appetite and tolerance thresholds.
The Risk Management Domain enables organizations to:
Systematically identify and categorize risks that could impact strategic, operational, and compliance objectives
Assess and prioritize risks based on likelihood, impact, and organizational context
Develop and implement appropriate control mechanisms and mitigation strategies
Monitor risk indicators and control effectiveness over time
Support data-driven decision making about risk acceptance, reduction, transfer, or avoidance
Drive resilience through improved visibility into risk interdependencies
Provide a structured foundation for governance, compliance, and assurance activities
Ensure consistent risk management practices across the enterprise
Risk Profile
A comprehensive view of a specific risk, including its characteristics, potential impacts, and management approaches. Risk profiles provide a way to understand and communicate the nature of risks, their significance to the organization, and how they are being addressed.
Risk Assessment
A structured evaluation of identified risks, including analysis of causes, impacts, likelihood, and prioritization. Risk assessment methodologies enable consistent approaches to risk evaluation across the organization.
Risk Control
A mechanism, process, or measure implemented to modify risk by reducing likelihood, impact, or both. Controls provide the means to manage risks within acceptable thresholds.
Risk Response
An organized approach to addressing risks through avoidance, reduction, transfer, or acceptance strategies. Response planning ensures appropriate action for prioritized risks.
Risk Monitoring
Ongoing observation and evaluation of risk status, trends, and control effectiveness. Monitoring frameworks provide early warning of changing risk profiles.
Domain Attributes
Basic identification: title, description, riskCategory
Organizational alignment: orgUnitTitle, orgUnitRoles, riskOwner
Risk characteristics: riskSource, riskProbability, riskImpact, riskSeverity
Management factors: riskTolerance, riskStatus, mitigationStrategy, residualRisk
External factors: regulatoryImplications, emergingFactors
Strategic implications: strategicImplications, relevantObjectives
Domain Elements
Risk Assessment Element
Provides a structured approach to evaluating risks:
Assessment methodologies and frameworks
Scope and boundaries of evaluation
Criteria for risk evaluation
Findings and recommendations
Prioritization and ranking
Participant roles and responsibilities
Risk Control Element
Maps the mechanisms used to modify risk:
Control type and design
Implementation status and effectiveness
Testing and validation approaches
Ownership and responsibilities
Documentation and evidence
Standards and benchmarks
Risk Response Element
Analyzes the strategic approaches to risk management:
Response strategy selection
Implementation planning and resources
Success criteria and measurements
Progress tracking and reporting
Review and effectiveness evaluation
Continuous improvement processes
Risk Monitoring Element
Evaluates ongoing risk observation and tracking:
Key risk indicators
Monitoring frequency and methods
Threshold definitions and alerts
Trend analysis approaches
Escalation pathways
Reporting structures
Getting Started
Begin by identifying and documenting key risk categories
Select a high-priority risk and create a detailed risk profile
Document the assessment methodology used to evaluate risks
Map major control mechanisms and their effectiveness
Define response strategies for priority risks
Best Practices
Ensure risk profiles have clear ownership and accountability
Base risk assessments on consistent and objective criteria
Update risk evaluations regularly as internal and external factors change
Connect risk elements to strategic decisions and operational capabilities
Involve multiple perspectives in risk analysis to avoid bias
Maintain a balance between risk control costs and potential impact
Common Pitfalls to Avoid
Creating overly complex risk categorization that dilutes management focus
Basing risk assessments on assumptions rather than evidence
Failing to connect risk analysis to strategic and operational domains
Not updating risk profiles as business context evolves
Focusing exclusively on risk avoidance while missing positive risk (opportunity)
Overlooking risk interdependencies and cascading effects
The Risk Management Domain schema is expected to evolve with emerging practices in risk management. Future extensions may include:
Enhanced predictive risk analytics
AI-assisted risk identification and assessment
Dynamic risk modeling capabilities
Operational resilience frameworks
Cyber and digital risk extensions
Integrated governance, risk, and compliance models
Organizations should plan for these evolutions by maintaining clean taxonomies and clear relationship models in their current implementation.
The Risk Management Domain extends the Orthogramic Metamodel with a robust framework for modeling and managing risk-related aspects of business architecture. By providing structured schemas for risk profiles, assessments, controls, responses, and monitoring approaches, it enables organizations to systematically align their capabilities, value streams, and strategies with risk management objectives.
The integration with the Strategic Response Model ensures that risk insights drive strategic decision-making and organizational change. This domain complements other domains by focusing on the uncertainty dimensions that affect organizational activities, providing critical context for strategic planning and operational execution.
Organizations can use this domain to develop a more comprehensive understanding of their risk landscape, implement effective controls, and ensure that strategic initiatives properly account for risk factors in design and execution.
{
"riskID": "RISK-CYBER-001",
"title": "Critical Data Breach Risk",
"description": "The risk of unauthorized access to or exfiltration of sensitive customer and financial data through external cyberattack or internal compromise, resulting in regulatory sanctions, financial loss, and reputational damage.",
"riskCategory": "technology",
"orgUnitTitle": "Information Security Department",
"orgUnitRoles": ["Chief Information Security Officer", "Security Operations Manager", "Data Protection Officer"],
"riskSource": "external",
"riskOwner": "Chief Information Security Officer",
"riskProbability": {
"level": "moderate",
"numericValue": 0.35,
"rationale": "Based on threat intelligence showing increased targeting of our industry, balanced against our enhanced security controls",
"timeHorizon": "12 months"
},
"riskImpact": {
"level": "severe",
"financialImpact": "$5-15 million",
"nonFinancialImpacts": [
{
"impactType": "reputational",
"description": "Severe damage to brand trust and customer confidence",
"severity": "high"
},
{
"impactType": "regulatory",
"description": "Substantial fines under data protection regulations",
"severity": "high"
},
{
"impactType": "operational",
"description": "Service disruption during incident response",
"severity": "medium"
}
],
"rationale": "Based on analysis of recent industry breaches and our specific data exposure"
},
"riskSeverity": {
"level": "high",
"score": 16,
"calculationMethod": "5x5 risk matrix combining probability and impact values"
},
"riskTolerance": {
"toleranceLevel": "low",
"thresholds": [
{
"metricName": "Security incidents involving PII",
"thresholdValue": "0",
"responseRequired": "Immediate executive notification and investigation"
},
{
"metricName": "Failed security tests",
"thresholdValue": ">5%",
"responseRequired": "Security remediation within 48 hours"
}
],
"rationale": "Given regulatory requirements and potential reputational impact"
},
"riskStatus": "mitigated",
"mitigationStrategy": {
"approachType": "reduce",
"description": "Comprehensive cybersecurity program including advanced threat protection, security monitoring, encryption, access controls, and security awareness training",
"expectedOutcome": "Reduce likelihood of successful breach while maintaining detection capabilities",
"implementationStatus": "implemented"
},
"residualRisk": {
"level": "moderate",
"acceptableLevel": true,
"description": "Remaining risk primarily related to zero-day vulnerabilities and sophisticated threat actors",
"additionalControls": [
"Investigating additional advanced endpoint protection",
"Enhancing threat hunting capabilities"
]
},
"controlEffectiveness": {
"level": "effective",
"lastAssessment": "2025-03-15",
"improvementNeeds": [
"Strengthen third-party security assessment process",
"Enhance cloud security monitoring"
]
},
"reviewFrequency": "quarterly",
"lastReviewDate": "2025-04-01",
"nextReviewDate": "2025-07-01",
"regulatoryImplications": [
{
"regulationType": "Data Protection",
"regulationName": "GDPR",
"implications": "Breach notification requirements and potential fines up to 4% of global revenue",
"complianceStatus": "compliant"
},
{
"regulationType": "Financial",
"regulationName": "PCI-DSS",
"implications": "Requirements for securing payment card data",
"complianceStatus": "compliant"
}
],
"strategicImplications": {
"overallImpact": "mixed",
"affectedObjectives": [
{
"objectiveID": "STRAT-DIGITAL-003",
"impactDescription": "Risk considerations require adjustment to cloud migration timeline",
"impactSeverity": "moderate"
},
{
"objectiveID": "STRAT-CUSTOMER-002",
"impactDescription": "Enhanced security measures could create friction in customer experience",
"impactSeverity": "minor"
}
]
},
"emergingFactors": [
{
"factorName": "AI-Enhanced Cyber Threats",
"description": "Increasing sophistication of attacks using AI to evade detection",
"potentialImpact": "Could increase probability of successful breach",
"timeHorizon": "medium-term",
"monitoringApproach": "Threat intelligence subscription and quarterly assessment"
},
{
"factorName": "Extended Supply Chain Exposure",
"description": "Increasing integration with third-party systems expanding attack surface",
"potentialImpact": "New vectors for data compromise",
"timeHorizon": "immediate",
"monitoringApproach": "Third-party security assessment program"
}
],
"relatedRisks": [
{
"riskID": "RISK-TECH-005",
"relationshipType": "contributor",
"relationshipStrength": 4,
"description": "Legacy System Maintenance Risk contributes to cybersecurity vulnerabilities"
},
{
"riskID": "RISK-COMP-002",
"relationshipType": "consequence",
"relationshipStrength": 5,
"description": "Data breach would trigger Regulatory Compliance Risk"
}
],
"keyRiskIndicators": [
{
"indicatorName": "Security Incidents",
"description": "Number of security incidents detected per month",
"currentValue": "12",
"threshold": "25",
"trend": "stable",
"monitoringFrequency": "daily"
},
{
"indicatorName": "Vulnerability Remediation Time",
"description": "Average time to remediate critical vulnerabilities",
"currentValue": "1.8 days",
"threshold": "3 days",
"trend": "improving",
"monitoringFrequency": "weekly"
},
{
"indicatorName": "Phishing Simulation Success Rate",
"description": "Percentage of employees clicking on simulated phishing emails",
"currentValue": "4.2%",
"threshold": "5%",
"trend": "stable",
"monitoringFrequency": "monthly"
}
],
"dependencies": [
{
"dependencyType": "Critical",
"domainType": "Capability",
"entityID": "CAP-SECOPS-001",
"description": "Security Operations capability"
},
{
"dependencyType": "Important",
"domainType": "Information",
"entityID": "INFO-DATA-003",
"description": "Customer Data Security Classification Framework"
}
],
"documentationReferences": [
{
"documentName": "Information Security Policy",
"documentLocation": "Policy repository (IS-POL-001)",
"documentType": "policy",
"documentDate": "2024-12-15"
},
{
"documentName": "Annual Cybersecurity Risk Assessment",
"documentLocation": "Risk repository (RISK-RPT-2025-01)",
"documentType": "assessment",
"documentDate": "2025-02-28"
}
]
}
|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Strategy Relationship Schema",
"description": "Schema for relationships between Risk Management domain and Strategy domain",
"type": "object",
"required": ["relationshipID", "riskID", "title", "relationshipType"],
"properties": {
"relationshipID": {
"type": "string",
"description": "Unique identifier for this relationship"
},
"riskID": {
"type": "string",
"description": "ID of the risk element"
},
"title": {
"type": "string",
"description": "Name of the strategy"
},
"relationshipType": {
"type": "string",
"description": "Nature of the risk influence on strategy",
"enum": ["strategic-threat", "strategic-opportunity", "execution-risk", "enabler", "constraint", "context-factor", "success-factor", "other"]
},
"relationshipStrength": {
"type": "integer",
"description": "Strength of influence (1-5)",
"minimum": 1,
"maximum": 5
},
"riskFactors": {
"type": "array",
"description": "Risk factors influencing this strategy",
"items": {
"type": "string"
}
},
"strategicImpact": {
"type": "object",
"description": "How risk impacts strategic elements",
"properties": {
"impactDescription": {
"type": "string",
"description": "Description of impact"
},
"impactSeverity": {
"type": "string",
"description": "Severity of impact",
"enum": ["minimal", "moderate", "significant", "severe", "critical"]
},
"potentialOutcomes": {
"type": "array",
"description": "Possible strategic outcomes",
"items": {
"type": "string"
}
}
}
},
"strategicObjectives": {
"type": "array",
"description": "Strategic objectives affected by risk",
"items": {
"type": "object",
"properties": {
"objectiveID": {
"type": "string",
"description": "ID of strategic objective"
},
"riskImpact": {
"type": "string",
"description": "How risk impacts this objective"
},
"importanceLevel": {
"type": "string",
"description": "Importance to objective",
"enum": ["minor", "moderate", "significant", "critical"]
}
}
}
},
"riskAdjustments": {
"type": "array",
"description": "Strategic adjustments made for risk",
"items": {
"type": "object",
"properties": {
"adjustmentDescription": {
"type": "string",
"description": "Description of adjustment"
},
"adjustmentType": {
"type": "string",
"description": "Type of adjustment",
"enum": ["scope-change", "timeline-adjustment", "resource-increase", "goal-modification", "approach-change", "other"]
},
"effectiveness": {
"type": "string",
"description": "Effectiveness of adjustment",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
}
}
}
},
"riskAppetite": {
"type": "object",
"description": "Strategic risk appetite",
"properties": {
"appetiteLevel": {
"type": "string",
"description": "Level of risk appetite",
"enum": ["averse", "minimalist", "cautious", "open", "seeking"]
},
"appetiteJustification": {
"type": "string",
"description": "Reason for this appetite level"
},
"variationByObjective": {
"type": "array",
"description": "How appetite varies by objective",
"items": {
"type": "object",
"properties": {
"objectiveID": {
"type": "string",
"description": "ID of objective"
},
"specificAppetite": {
"type": "string",
"description": "Specific appetite for this objective",
"enum": ["averse", "minimalist", "cautious", "open", "seeking"]
}
}
}
}
}
},
"strategicMonitoring": {
"type": "object",
"description": "How risk is monitored in strategy",
"properties": {
"monitoringApproach": {
"type": "string",
"description": "How risk is tracked strategically"
},
"keyIndicators": {
"type": "array",
"description": "Strategic indicators being tracked",
"items": {
"type": "string"
}
},
"reviewFrequency": {
"type": "string",
"description": "How often strategic risk is reviewed",
"enum": ["monthly", "quarterly", "semi-annually", "annually", "event-driven"]
}
}
},
"contingencyPlans": {
"type": "array",
"description": "Strategic contingencies for risk events",
"items": {
"type": "object",
"properties": {
"scenarioDescription": {
"type": "string",
"description": "Risk scenario"
},
"contingencyApproach": {
"type": "string",
"description": "Planned response"
},
"triggerConditions": {
"type": "string",
"description": "What activates contingency"
}
}
}
}
}
}
|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Capability Relationship Schema",
"description": "Schema for relationships between Risk Management domain and Capability domain",
"type": "object",
"required": ["relationshipID", "riskID", "title", "relationshipType"],
"properties": {
"relationshipID": {
"type": "string",
"description": "Unique identifier for this relationship"
},
"riskID": {
"type": "string",
"description": "ID of the risk element"
},
"title": {
"type": "string",
"description": "Name of the capability"
},
"relationshipType": {
"type": "string",
"description": "Nature of the relationship",
"enum": ["risk-to-capability", "capability-to-risk", "mitigating-capability", "risk-generating-capability", "impacted-capability", "interdependent", "other"]
},
"relationshipStrength": {
"type": "integer",
"description": "Importance of this relationship (1-5)",
"minimum": 1,
"maximum": 5
},
"riskImpact": {
"type": "object",
"description": "How risk impacts capability",
"properties": {
"impactDescription": {
"type": "string",
"description": "Description of impact"
},
"impactSeverity": {
"type": "string",
"description": "Severity of impact",
"enum": ["minimal", "moderate", "significant", "severe", "critical"]
},
"impactScenarios": {
"type": "array",
"description": "Specific impact scenarios",
"items": {
"type": "string"
}
}
}
},
"capabilityControls": {
"type": "array",
"description": "Controls within capability addressing risk",
"items": {
"type": "object",
"properties": {
"controlDescription": {
"type": "string",
"description": "Description of control"
},
"controlEffectiveness": {
"type": "string",
"description": "How well control works",
"enum": ["ineffective", "partially-effective", "effective", "highly-effective", "not-assessed"]
},
"implementationStatus": {
"type": "string",
"description": "Status of implementation",
"enum": ["not-implemented", "planning", "in-progress", "implemented", "verified"]
}
}
}
},
"capabilityGaps": {
"type": "array",
"description": "Capability gaps increasing risk",
"items": {
"type": "object",
"properties": {
"gapDescription": {
"type": "string",
"description": "Description of gap"
},
"riskContribution": {
"type": "string",
"description": "How gap contributes to risk"
},
"remediation": {
"type": "string",
"description": "Plan to address gap"
}
}
}
},
"performanceMetrics": {
"type": "array",
"description": "Metrics for measuring risk impact on capability",
"items": {
"type": "object",
"properties": {
"metricName": {
"type": "string",
"description": "Name of metric"
},
"metricDescription": {
"type": "string",
"description": "What metric measures"
},
"currentValue": {
"type": "string",
"description": "Current measurement"
},
"targetValue": {
"type": "string",
"description": "Target value"
}
}
}
},
"improvementInitiatives": {
"type": "array",
"description": "Initiatives to improve capability for risk management",
"items": {
"type": "object",
"properties": {
"initiativeDescription": {
"type": "string",
"description": "Description of initiative"
},
"expectedOutcome": {
"type": "string",
"description": "Anticipated result"
},
"status": {
"type": "string",
"description": "Current status",
"enum": ["proposed", "approved", "in-progress", "completed", "canceled"]
}
}
}
},
"dependencyRisks": {
"type": "array",
"description": "Risks arising from capability dependencies",
"items": {
"type": "object",
"properties": {
"dependencyType": {
"type": "string",
"description": "Type of dependency"
},
"dependentEntity": {
"type": "string",
"description": "What capability depends on"
},
"riskScenario": {
"type": "string",
"description": "Risk scenario created by dependency"
}
}
}
}
}
}
|
{
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "Risk-Related Strategic Responses Schema",
"description": "Schema for risk-related strategic responses in the Strategic Response Model",
"type": "object",
"required": ["responseID", "responseTitle", "responseDescription", "triggerReferences", "rationaleReferences"],
"properties": {
"responseID": {
"type": "string",
"description": "A unique identifier for the strategic response"
},
"responseTitle": {
"type": "string",
"description": "A concise title summarizing the strategic response"
},
"responseType": {
"type": "string",
"description": "The classification of the response",
"enum": ["Risk_Prevention", "Risk_Mitigation", "Risk_Transfer", "Risk_Acceptance", "Control_Enhancement", "Incident_Response", "Business_Continuity", "Compliance_Program", "Risk_Governance"]
},
"responseDescription": {
"type": "string",
"description": "A detailed explanation of the strategic response, its objectives, and scope"
},
"riskIDs": {
"type": "array",
"description": "Risk elements this response addresses",
"items": {
"type": "string"
}
},
"triggerReferences": {
"type": "array",
"description": "An array of triggerIDs that initiated this strategic response",
"items": {
"type": "string"
}
},
"rationaleReferences": {
"type": "array",
"description": "An array of rationaleIDs providing justification for this response",
"items": {
"type": "string"
}
},
"performanceIndicatorReferences": {
"type": "array",
"description": "Metrics or KPIs that will be used to measure the success of the strategic response",
"items": {
"type": "string"
}
},
"riskOutcomes": {
"type": "array",
"description": "Specific risk management outcomes resulting from this response",
"items": {
"type": "object",
"properties": {
"outcomeDescription": {
"type": "string",
"description": "Description of risk outcome"
},
"targetRiskLevel": {
"type": "string",
"description": "Desired risk level after response",
"enum": ["very-low", "low", "moderate", "high", "very-high"]
},
"measurementApproach": {
"type": "string",
"description": "How outcome will be measured"
}
}
}
},
"implementedControls": {
"type": "array",
"description": "Risk controls implemented by this response",
"items": {
"type": "object",
"properties": {
"controlName": {
"type": "string",
"description": "Name of control"
},
"controlDescription": {
"type": "string",
"description": "Description of control"
},
"controlType": {
"type": "string",
"description": "Type of control",
"enum": ["preventive", "detective", "corrective", "directive", "other"]
},
"implementationStatus": {
"type": "string",
"description": "Status of implementation",
"enum": ["planned", "in-progress", "implemented", "effective", "ineffective"]
}
}
}
},
"affectedDomains": {
"type": "array",
"description": "A list of business architecture domains impacted by this response",
"items": {
"type": "string",
"enum": ["Risk", "Strategy", "Capability", "Product", "Service", "Value_Stream", "Performance", "Information", "Organization", "Initiative", "Customer", "Market", "Finance"]
}
},
"implementationPlan": {
"type": "object",
"description": "Plan outlining how the response will be executed",
"properties": {
"phaseApproach": {
"type": "string",
"description": "Phasing of implementation"
},
"keyActivities": {
"type": "array",
"description": "Major implementation activities",
"items": {
"type": "string"
}
},
"resources": {
"type": "string",
"description": "Resources required for implementation"
},
"governanceStructure": {
"type": "string",
"description": "Governance over implementation"
}
}
},
"riskMonitoring": {
"type": "array",
"description": "Ongoing risk monitoring approaches",
"items": {
"type": "object",
"properties": {
"monitoringMethod": {
"type": "string",
"description": "Method for monitoring"
},
"keyIndicators": {
"type": "array",
"description": "Indicators being monitored",
"items": {
"type": "string"
}
},
"frequency": {
"type": "string",
"description": "How often monitoring occurs",
"enum": ["continuous", "daily", "weekly", "monthly", "quarterly", "annually", "event-driven"]
}
}
}
},
"expectedOutcomes": {
"type": "string",
"description": "A description of the anticipated results or benefits from implementing the response"
},
"responsibleOrgUnits": {
"type": "array",
"description": "Organisation units accountable for executing the strategic response",
"items": {
"type": "string"
}
},
"startDate": {
"type": "string",
"format": "date",
"description": "The planned start date for implementing the strategic response"
},
"endDate": {
"type": "string",
"format": "date",
"description": "The planned completion date for the strategic response"
},
"status": {
"type": "string",
"description": "The current status of the strategic response",
"enum": ["Planned", "In_Progress", "Completed", "Deferred", "Cancelled"]
},
"lastUpdated": {
"type": "string",
"format": "date",
"description": "The date when the strategic response record was last updated"
},
"residualRiskAssessment": {
"type": "string",
"description": "Assessment of risk remaining after response implementation"
},
"strategicThemes": {
"type": "array",
"description": "An array of strategic priorities that this initiative supports",
"items": {
"type": "string"
}
}
}
}
|
Property | Description | Example |
|---|---|---|
riskID | Unique identifier for the risk element | "RISK-CYBER-001" |
title | The name or title of the risk | "Critical Data Breach Risk" |
description | A detailed explanation of the risk | "The risk of unauthorized access to or exfiltration of sensitive customer data..." |
riskCategory | Classification of risk type | "technology" |
orgUnitTitle | Organization unit responsible for managing risk | "Information Security Department" |
orgUnitRoles | Specific roles managing this risk | ["Chief Information Security Officer", "Security Operations Manager"] |
riskSource | Origin of the risk | "external" |
riskOwner | Individual or role responsible for risk management | "Chief Information Security Officer" |
riskProbability | Likelihood of risk occurrence | {"level": "moderate", "numericValue": 0.35} |
riskImpact | Potential effect if risk is realized | {"level": "severe", "financialImpact": "$5-15 million"} |
riskSeverity | Combined measure of probability and impact | {"level": "high", "score": 16} |
riskTolerance | Acceptable level of this risk | {"toleranceLevel": "low", "thresholds": [{...}]} |
riskStatus | Current status in management lifecycle | "mitigated" |
mitigationStrategy | Approach to risk reduction | {"approachType": "reduce", "description": "Comprehensive cybersecurity program..."} |
residualRisk | Risk remaining after controls | {"level": "moderate", "acceptableLevel": true} |
controlEffectiveness | Effectiveness of current controls | {"level": "effective", "lastAssessment": "2025-03-15"} |
reviewFrequency | How often risk is reassessed | "quarterly" |
regulatoryImplications | Compliance aspects of this risk | [{"regulationType": "Data Protection", "regulationName": "GDPR"}] |
strategicImplications | Impact on strategic objectives | {"overallImpact": "mixed", "affectedObjectives": [{...}]} |
emergingFactors | Developing influences on this risk | [{"factorName": "AI-Enhanced Cyber Threats", "timeHorizon": "medium-term"}] |
relatedRisks | Relationships to other risks | [{"riskID": "RISK-TECH-005", "relationshipType": "contributor"}] |
keyRiskIndicators | Metrics used to monitor this risk | [{"indicatorName": "Security Incidents", "currentValue": "12"}] |
Property | Description | Example |
|---|---|---|
assessmentID | Unique identifier for the risk assessment | "ASSESS-CYBER-2025-Q1" |
assessmentTitle | Name of the specific risk assessment | "Annual Cybersecurity Risk Assessment" |
description | Detailed explanation of the risk assessment | "Comprehensive assessment of cybersecurity risks including threats, vulnerabilities..." |
orgUnitTitle | Organization unit conducting assessment | "Information Security Department" |
assessmentMethod | Methodology used for assessment | "quantitative" |
assessmentScope | Boundaries of the assessment | {"inScope": ["Enterprise applications", "Customer data systems"]} |
assessmentContext | Business context for the assessment | "Supporting digital transformation initiative while ensuring data protection" |
assessmentDate | When assessment was conducted | {"startDate": "2025-01-15", "completionDate": "2025-02-28"} |
assessmentParticipants | People involved in assessment | [{"participantName": "Sarah Johnson", "participantRole": "CISO"}] |
riskCriteria | Criteria for evaluating risks | {"probabilityCriteria": [{...}], "impactCriteria": [{...}]} |
identifiedRisks | Risks discovered during assessment | [{"riskID": "RISK-CYBER-001", "riskTitle": "Critical Data Breach Risk"}] |
riskRankings | Prioritization of risks | [{"riskID": "RISK-CYBER-001", "priority": "high"}] |
assessmentFindings | Key outcomes and insights | [{"findingTitle": "Inadequate API security controls", "findingSeverity": "high"}] |
assessmentRecommendations | Suggested actions | [{"recommendationTitle": "Implement API gateway", "recommendationPriority": "high"}] |
assessmentOwner | Responsible party for assessment | "Chief Information Security Officer" |
nextAssessment | Timing for follow-up | {"plannedDate": "2026-01-15", "triggerEvents": ["Major system change"]} |
Property | Description | Example |
|---|---|---|
controlID | Unique identifier for the risk control | "CTRL-CYBER-008" |
controlTitle | Name of the specific risk control | "Multi-factor Authentication" |
description | Detailed explanation of the risk control | "Requiring two or more verification factors before granting system access" |
orgUnitTitle | Organization unit responsible for this control | "IT Security Operations" |
controlType | Type of control measure | "preventive" |
controlCategory | Functional category of control | "technical" |
controlMethod | How control operates | "automated" |
controlObjective | What the control aims to achieve | "Prevent unauthorized access to systems and data through credential compromise" |
implementationStatus | Current implementation state | "operational" |
controlEffectiveness | How well control works | {"designEffectiveness": "effective", "operationalEffectiveness": "effective"} |
controlOwner | Responsible party for implementation | "Identity & Access Management Manager" |
controlCost | Cost of implementation and maintenance | {"implementationCost": 250000, "recurringCost": 80000, "costPeriod": "annually"} |
controlDocumentation | Reference documentation | [{"documentName": "MFA Standard", "documentType": "standard"}] |
controlTesting | How and when control is tested | {"testingMethod": "automated-monitoring", "testingFrequency": "monthly"} |
controlledRisks | Risks addressed by this control | [{"riskID": "RISK-CYBER-001", "controlWeight": 5}] |
relatedControls | Other linked control measures | [{"controlID": "CTRL-CYBER-012", "relationshipType": "complementary"}] |
controlStandards | Standards applied to this control | [{"standardName": "NIST 800-53", "standardReference": "IA-2(1)"}] |
exceptionsProcess | Process for handling control exceptions | "Requires CISO approval with business justification and compensating controls" |
Property | Description | Example |
|---|---|---|
responseID | Unique identifier for the risk response | "RESP-CYBER-003" |
responseTitle | Name of the specific risk response | "Enhanced Data Protection Program" |
description | Detailed explanation of the risk response | "Comprehensive program to strengthen data security controls and practices" |
orgUnitTitle | Organization unit responsible for this response | "Information Security Department" |
responseStrategy | Approach to handling risk | "reduce" |
responseDescription | Detailed explanation of response approach | "Implementing technical controls, process improvements, and awareness training" |
targetedRisks | Risks being addressed | [{"riskID": "RISK-CYBER-001", "targetRiskLevel": "low"}] |
responseOwner | Responsible party | "Chief Information Security Officer" |
responsePriority | Priority level | "high" |
responseStatus | Current implementation status | "in-progress" |
responseTimeline | Implementation schedule | {"startDate": "2025-01-01", "targetEndDate": "2025-06-30"} |
responseSuccess | Criteria for successful response | {"successCriteria": [{"criterionName": "Security control implementation"}]} |
responseResources | Resources required | {"budget": 750000, "personnel": [{"role": "Security Engineer"}]} |
responseReporting | How progress is reported | {"reportingFrequency": "monthly", "reportingMethod": "Executive dashboard"} |
responseReview | Process for reviewing effectiveness | {"reviewMethod": "Independent assessment", "reviewFrequency": "quarterly"} |
costBenefitAnalysis | Analysis of response value | {"implementationCost": 750000, "recurringCosts": 250000, "returnOnInvestment": "325%"} |
implementedControls | Controls implemented as part of response | [{"controlID": "CTRL-CYBER-008", "implementationStatus": "implemented"}] |
lessonsLearned | Insights from response implementation | [{"lessonDescription": "Early stakeholder engagement critical to success"}] |
Property | Description | Example |
|---|---|---|
monitoringID | Unique identifier for the risk monitoring activity | "MON-CYBER-002" |
monitoringTitle | Name of the specific risk monitoring activity | "Cybersecurity Risk Monitoring Program" |
description | Detailed explanation of the risk monitoring activity | "Continuous monitoring of key risk indicators and control effectiveness" |
orgUnitTitle | Organization unit responsible for this monitoring | "Security Operations Center" |
monitoredRisks | Risks being monitored | [{"riskID": "RISK-CYBER-001", "monitoringPriority": "high"}] |
keyRiskIndicators | Indicators being tracked | [{"indicatorName": "Security Incidents", "currentValue": "12"}] |
monitoringFrequency | Frequency of monitoring activities | {"reviewCycle": "continuous", "justification": "Critical risk requiring real-time visibility"} |
monitoringMethods | Approaches used for monitoring | [{"methodName": "SIEM Analytics", "automationLevel": "fully-automated"}] |
earlyWarningSystem | System for early detection of risk changes | {"alertMechanisms": ["Automated alerts", "Dashboard indicators"]} |
monitoringResponsibilities | People responsible for monitoring | [{"role": "SOC Analyst", "responsibilities": ["Monitor alerts", "Initial triage"]}] |
reportingStructure | How monitoring results are reported | {"reportTypes": [{"reportName": "Weekly Security Status", "reportFrequency": "weekly"}]} |
technologySystems | Systems supporting monitoring | [{"systemName": "Security Information & Event Management", "systemFunction": "Log analysis"}] |
dataManagement | How monitoring data is managed | {"dataSources": ["Firewall logs", "IDS alerts", "Authentication logs"]} |
historicalPerformance | History of monitoring effectiveness | {"successRate": "93% of incidents detected by monitoring systems"} |