Risk Management Domain

The Risk Management domain represents the structured approach to identifying, assessing, mitigating, monitoring, and responding to risks across the organization. It provides a comprehensive framework for modeling risk profiles, assessment methodologies, control mechanisms, and response strategies.

Schema Version: 2.2
Schema Location: /schemas/risk-management.schema.json
Specification: JSON Schema Draft-07

Overview

What is the Risk Management Domain?

The Risk Management domain captures the uncertainty dimensions that affect organizational activities, enabling risk-centric analysis that drives strategic planning, operational resilience, and compliance management. The domain covers:

Risk Profiles — Comprehensive views of specific risks
Risk Assessments — Structured evaluation methodologies
Risk Controls — Mechanisms to modify risk
Risk Responses — Approaches to addressing risks
Risk Monitoring — Ongoing observation and evaluation

This domain extends the Orthogramic Metamodel by providing deeper insights into risk factors, control effectiveness, and mitigation approaches.

Model Risk Management (MRM) Sub-domain

The Risk domain includes a Model Risk Management (MRM) sub-domain providing structured coverage of risks associated with model use in decision-making and regulatory reporting. MRM introduces elements for:

Model governance and validation
Performance monitoring and drift detection
Regulatory framework mapping (SR 11-7, Basel, IFRS 9, CCAR)

Purpose and Value

The Risk Management domain enables architects and planners to:

Identify and categorize risks — Systematically capture risks impacting objectives
Assess and prioritize — Evaluate risks based on likelihood and impact
Implement controls — Develop appropriate mitigation strategies
Monitor effectiveness — Track risk indicators and control performance
Support decisions — Enable data-driven risk acceptance or reduction
Drive resilience — Improve visibility into risk interdependencies

For Data Engineers

The Risk Management domain maps directly to data quality and governance:

Risk Profile → Data quality risk /Security risk
Risk Assessment → Data quality assessment
Risk Control → Data quality rule /Validation check
Risk Response → Remediation workflow
Key Risk Indicator → Data quality metric /Alert threshold

Core Components

The Risk Management domain uses a comprehensive risk lifecycle:

Risk Identification: Discovery and categorization
Risk Assessment: Analysis of probability and impact
Risk Response: Mitigation strategies and controls
Risk Monitoring: Ongoing tracking and reporting

Domain Attributes

Risk Profile Attributes

Attribute	Type	Description	Required
`riskID`	String	Unique identifier for the risk	✓
`title`	String	Name or title of the risk	✓
`description`	String	Detailed explanation of the risk	✓
`riskCategory`	Enum	Classification of risk type	✓
`orgUnitTitle`	String	Organization unit responsible
`orgUnitRoles`	Array[String]	Roles managing this risk
`riskSource`	Enum	Origin of the risk
`riskOwner`	String	Individual responsible
`riskProbability`	Object	Likelihood of occurrence
`riskImpact`	Object	Potential effect if realized
`riskSeverity`	Object	Combined probability and impact
`riskTolerance`	Object	Acceptable level of this risk
`riskStatus`	Enum	Current status in lifecycle
`mitigationStrategy`	Object	Approach to risk reduction
`residualRisk`	Object	Risk remaining after controls
`controlEffectiveness`	Object	Effectiveness of current controls
`reviewFrequency`	Enum	How often risk is reassessed
`regulatoryImplications`	Array[Object]	Compliance aspects
`strategicImplications`	Object	Impact on strategic objectives
`emergingFactors`	Array[Object]	Developing influences
`relatedRisks`	Array[Object]	Relationships to other risks
`keyRiskIndicators`	Array[Object]	Metrics for monitoring

Enumeration Values

Risk Category (`riskCategory`)

Value	Description	Example
`Strategic`	Strategic direction risks	Market shifts, competition
`Operational`	Day-to-day operations risks	Process failures, capacity
`Financial`	Financial performance risks	Liquidity, credit, market
`Compliance`	Regulatory compliance risks	Violations, penalties
`Technology`	Technology-related risks	Cyber, system failures
`Reputational`	Brand and reputation risks	Public trust, media
`Legal`	Legal and contractual risks	Litigation, contracts
`People`	Human capital risks	Talent, safety, culture
`Environmental`	Environmental risks	Climate, sustainability
`Model`	Model-related risks	ML/AI model failures

Risk Source (`riskSource`)

Value	Description	Example
`External`	Outside organization	Market conditions
`Internal`	Within organization	Process gaps
`Third-Party`	Vendors and partners	Supplier failures
`Regulatory`	Regulatory changes	New requirements
`Technology`	Technology changes	Disruption

Risk Status (`riskStatus`)

Value	Description
`Identified`	Risk identified, not assessed
`Assessed`	Assessment completed
`Mitigated`	Controls in place
`Accepted`	Risk accepted as-is
`Transferred`	Risk transferred (insurance)
`Avoided`	Activity discontinued
`Monitoring`	Under ongoing monitoring
`Closed`	Risk no longer applicable

Risk Response Type (`mitigationApproachType`)

Value	Description	Example
`Avoid`	Discontinue risk-creating activity	Exit market
`Reduce`	Implement controls to reduce	Process improvements
`Transfer`	Shift risk to third party	Insurance, outsourcing
`Accept`	Accept risk within tolerance	Minor operational risks
`Share`	Share risk with partners	Joint ventures

Control Type (`controlType`)

Value	Description	Example
`Preventive`	Prevent risk occurrence	Access controls
`Detective`	Detect risk occurrence	Monitoring, alerts
`Corrective`	Correct after occurrence	Incident response
`Compensating`	Alternative control	Manual review

Control Category (`controlCategory`)

Value	Description	Example
`Technical`	Technology-based	Encryption, firewalls
`Administrative`	Policy-based	Procedures, training
`Physical`	Physical security	Locks, badges
`Operational`	Process-based	Segregation of duties

Risk Assessment Elements

Attribute	Type	Description
`assessmentID`	String	Unique identifier
`assessmentTitle`	String	Name of assessment
`description`	String	Assessment description
`assessmentMethod`	Enum	Methodology: `Qualitative`, `Quantitative`, `Hybrid`
`assessmentScope`	Object	Boundaries of assessment
`assessmentContext`	String	Business context
`assessmentDate`	Object	When conducted
`assessmentParticipants`	Array[Object]	People involved
`riskCriteria`	Object	Evaluation criteria
`identifiedRisks`	Array[Object]	Risks discovered
`riskRankings`	Array[Object]	Prioritization
`assessmentFindings`	Array[Object]	Key outcomes
`assessmentRecommendations`	Array[Object]	Suggested actions
`assessmentOwner`	String	Responsible party
`nextAssessment`	Object	Follow-up timing

Risk Control Elements

Attribute	Type	Description
`controlID`	String	Unique identifier
`controlTitle`	String	Name of control
`description`	String	Control description
`controlType`	Enum	Type of control
`controlCategory`	Enum	Functional category
`controlMethod`	Enum	Operation: `Manual`, `Automated`, `Hybrid`
`controlObjective`	String	What control achieves
`implementationStatus`	Enum	Implementation state
`controlEffectiveness`	Object	How well it works
`controlOwner`	String	Responsible party
`controlCost`	Object	Implementation and maintenance cost
`linkedRisks`	Array[Object]	Risks addressed
`testingSchedule`	Object	Testing frequency
`lastTestDate`	Date	Last test performed
`testResults`	Array[Object]	Test outcomes

Key Risk Indicator Elements

Attribute	Type	Description
`indicatorName`	String	Name of KRI
`description`	String	Indicator description
`currentValue`	Number	Current measurement
`threshold`	Number	Alert threshold
`trend`	Enum	Direction: `Increasing`, `Decreasing`, `Stable`
`monitoringFrequency`	Enum	Measurement frequency
`dataSource`	String	Source of data
`owner`	String	Responsible party

Domain Relationships

The Risk Management domain integrates with other metamodel domains:

Target Domain	Relationship Type	Description
Strategy	Alignment	Risks aligned to strategic objectives
Capabilities	Exposure	Capabilities expose to risks
Policy	Governance	Policies govern risk management
Performance	Measurement	Risk KPIs tracked
Finance	Impact	Financial impact of risks
Technology	Exposure	Technology risks identified
Information	Protection	Information security risks
Initiatives	Response	Initiatives address risks
Organization	Ownership	Org units own risks
Compliance	Requirements	Compliance risks managed

Examples

Example 1: Cybersecurity Risk Profile

{
  "riskID": "RISK-CYBER-001",
  "title": "Critical Data Breach Risk",
  "description": "The risk of unauthorized access to or exfiltration of sensitive customer and financial data through external cyberattack or internal compromise, resulting in regulatory sanctions, financial loss, and reputational damage.",
  "riskCategory": "Technology",
  "orgUnitTitle": "Information Security Department",
  "orgUnitRoles": ["Chief Information Security Officer", "Security Operations Manager", "Data Protection Officer"],
  "riskSource": "External",
  "riskOwner": "Chief Information Security Officer",
  "riskProbability": {
    "level": "moderate",
    "numericValue": 0.35,
    "rationale": "Based on threat intelligence showing increased targeting of our industry, balanced against our enhanced security controls",
    "timeHorizon": "12 months"
  },
  "riskImpact": {
    "level": "severe",
    "financialImpact": "$5-15 million",
    "nonFinancialImpacts": [
      {
        "impactType": "reputational",
        "description": "Severe damage to brand trust and customer confidence",
        "severity": "high"
      },
      {
        "impactType": "regulatory",
        "description": "Substantial fines under data protection regulations",
        "severity": "high"
      },
      {
        "impactType": "operational",
        "description": "Service disruption during incident response",
        "severity": "medium"
      }
    ],
    "rationale": "Based on analysis of recent industry breaches and our specific data exposure"
  },
  "riskSeverity": {
    "level": "high",
    "score": 16,
    "calculationMethod": "5x5 risk matrix combining probability and impact values"
  },
  "riskTolerance": {
    "toleranceLevel": "low",
    "thresholds": [
      {
        "metricName": "Security incidents involving PII",
        "thresholdValue": "0",
        "responseRequired": "Immediate executive notification and investigation"
      },
      {
        "metricName": "Failed security tests",
        "thresholdValue": ">5%",
        "responseRequired": "Security remediation within 48 hours"
      }
    ]
  },
  "riskStatus": "Mitigated",
  "mitigationStrategy": {
    "approachType": "Reduce",
    "description": "Comprehensive cybersecurity program including advanced threat protection, security monitoring, encryption, access controls, and security awareness training",
    "expectedOutcome": "Reduce likelihood of successful breach while maintaining detection capabilities",
    "implementationStatus": "Implemented"
  },
  "residualRisk": {
    "level": "moderate",
    "acceptableLevel": true,
    "description": "Remaining risk primarily related to zero-day vulnerabilities and sophisticated threat actors",
    "additionalControls": [
      "Investigating additional advanced endpoint protection",
      "Enhancing threat hunting capabilities"
    ]
  },
  "controlEffectiveness": {
    "level": "effective",
    "lastAssessment": "2025-03-15",
    "improvementNeeds": [
      "Strengthen third-party security assessment process",
      "Enhance cloud security monitoring"
    ]
  },
  "reviewFrequency": "Quarterly",
  "regulatoryImplications": [
    {
      "regulationType": "Data Protection",
      "regulationName": "GDPR",
      "implications": "Breach notification requirements and potential fines up to 4% of global revenue",
      "complianceStatus": "Compliant"
    },
    {
      "regulationType": "Financial",
      "regulationName": "PCI-DSS",
      "implications": "Requirements for securing payment card data",
      "complianceStatus": "Compliant"
    }
  ],
  "strategicImplications": {
    "overallImpact": "mixed",
    "affectedObjectives": [
      {
        "objectiveID": "STRAT-DIGITAL-003",
        "impactDescription": "Risk considerations require adjustment to cloud migration timeline",
        "impactSeverity": "moderate"
      }
    ]
  },
  "emergingFactors": [
    {
      "factorName": "AI-Enhanced Cyber Threats",
      "description": "Increasing sophistication of attacks using AI to evade detection",
      "potentialImpact": "Could increase probability of successful breach",
      "timeHorizon": "medium-term",
      "monitoringApproach": "Threat intelligence subscription and quarterly assessment"
    },
    {
      "factorName": "Extended Supply Chain Exposure",
      "description": "Increasing integration with third-party systems expanding attack surface",
      "potentialImpact": "New vectors for data compromise",
      "timeHorizon": "immediate",
      "monitoringApproach": "Third-party security assessment program"
    }
  ],
  "relatedRisks": [
    {
      "riskID": "RISK-TECH-005",
      "relationshipType": "contributor",
      "relationshipStrength": 4,
      "description": "Legacy System Maintenance Risk contributes to cybersecurity vulnerabilities"
    },
    {
      "riskID": "RISK-COMP-002",
      "relationshipType": "consequence",
      "relationshipStrength": 5,
      "description": "Data breach would trigger Regulatory Compliance Risk"
    }
  ],
  "keyRiskIndicators": [
    {
      "indicatorName": "Security Incidents",
      "description": "Number of security incidents detected per month",
      "currentValue": 12,
      "threshold": 25,
      "trend": "Stable",
      "monitoringFrequency": "Daily"
    },
    {
      "indicatorName": "Vulnerability Remediation Time",
      "description": "Average days to remediate critical vulnerabilities",
      "currentValue": 4.5,
      "threshold": 7,
      "trend": "Decreasing",
      "monitoringFrequency": "Weekly"
    },
    {
      "indicatorName": "Phishing Test Failure Rate",
      "description": "Percentage of employees clicking on simulated phishing",
      "currentValue": 8,
      "threshold": 15,
      "trend": "Decreasing",
      "monitoringFrequency": "Monthly"
    }
  ]
}

Example 2: Data Quality Risk

{
  "riskID": "RISK-DATA-001",
  "title": "Data Quality Degradation Risk",
  "description": "Risk of inaccurate or incomplete data affecting business decisions and regulatory reporting",
  "riskCategory": "Operational",
  "orgUnitTitle": "Data Governance Office",
  "riskOwner": "Chief Data Officer",
  "riskSource": "Internal",
  "riskProbability": {
    "level": "moderate",
    "numericValue": 0.40
  },
  "riskImpact": {
    "level": "high",
    "financialImpact": "$2-5 million annually",
    "nonFinancialImpacts": [
      {
        "impactType": "operational",
        "description": "Poor business decisions based on flawed data",
        "severity": "high"
      },
      {
        "impactType": "regulatory",
        "description": "Inaccurate regulatory reporting",
        "severity": "medium"
      }
    ]
  },
  "riskStatus": "Mitigated",
  "mitigationStrategy": {
    "approachType": "Reduce",
    "description": "Data quality program with automated validation, monitoring, and remediation workflows"
  },
  "keyRiskIndicators": [
    {
      "indicatorName": "Data Quality Score",
      "description": "Overall data quality across critical data elements",
      "currentValue": 94.5,
      "threshold": 90,
      "trend": "Increasing"
    },
    {
      "indicatorName": "Failed Data Quality Rules",
      "description": "Number of data quality rule failures per day",
      "currentValue": 45,
      "threshold": 100,
      "trend": "Stable"
    }
  ]
}

Example 3: Model Risk (MRM)

{
  "riskID": "RISK-MODEL-001",
  "title": "Credit Scoring Model Risk",
  "description": "Risk of model degradation or bias in credit scoring model affecting lending decisions",
  "riskCategory": "Model",
  "orgUnitTitle": "Model Risk Management",
  "riskOwner": "Chief Risk Officer",
  "riskSource": "Internal",
  "riskStatus": "Monitoring",
  "mitigationStrategy": {
    "approachType": "Reduce",
    "description": "Regular model validation, performance monitoring, and drift detection"
  },
  "regulatoryImplications": [
    {
      "regulationType": "Supervisory Guidance",
      "regulationName": "SR 11-7",
      "implications": "Model validation and governance requirements",
      "complianceStatus": "Compliant"
    }
  ],
  "keyRiskIndicators": [
    {
      "indicatorName": "Model Performance (Gini)",
      "description": "Gini coefficient for model discrimination",
      "currentValue": 0.72,
      "threshold": 0.65,
      "trend": "Stable"
    },
    {
      "indicatorName": "Population Stability Index",
      "description": "PSI measuring data drift",
      "currentValue": 0.08,
      "threshold": 0.10,
      "trend": "Increasing"
    }
  ]
}

Implementation Guidelines

Risk Management Best Practices

Establish governance — Define clear risk ownership and accountability
Use consistent methodology — Apply standardized assessment approaches
Prioritize effectively — Focus resources on highest-impact risks
Test controls — Regularly validate control effectiveness
Monitor continuously — Track KRIs and emerging risks

Risk Assessment Matrix

Control Framework

Control Layer	Purpose	Examples
Preventive	Stop risk occurrence	Access controls, encryption
Detective	Identify occurrences	Monitoring, alerts, audits
Corrective	Fix after occurrence	Incident response, recovery
Compensating	Alternative protection	Manual reviews, oversight

OpenMetadata Integration

For Data Platform Teams

When integrating with OpenMetadata, map Risk entities as follows:

Orthogramic Element	OpenMetadata Entity	Notes
Risk Profile	Tag/Classification	Risk tagging
Risk Control	Test Definition	Data quality tests
Key Risk Indicator	Test Result	Quality metrics
Risk Assessment	Test Suite	Assessment suites
Control Effectiveness	Test Status	Pass/fail tracking

# Example: Map Risk Control to OpenMetadata Test
def create_risk_control_test(control):
    """
    Map Orthogramic Risk Control to OpenMetadata Test Definition
    """
    return {
        "name": control["controlID"].lower(),
        "displayName": control["controlTitle"],
        "description": control["description"],
        "testDefinitionType": "dataQuality",
        "testPlatforms": ["OpenMetadata"],
        "parameterDefinition": [
            {
                "name": "threshold",
                "displayName": "Threshold",
                "dataType": "NUMBER",
                "required": True
            }
        ],
        "owner": {"name": control.get("controlOwner", ""), "type": "user"},
        "tags": [
            {"tagFQN": f"ControlType.{control['controlType']}"},
            {"tagFQN": f"ControlCategory.{control['controlCategory']}"}
        ]
    }

Schema Reference

Repository: Orthogramic/Orthogramic_Metamodel
Schema Location: /schemas/risk-management.schema.json
Version: 2.2
Specification: JSON Schema Draft-07
License: Creative Commons Attribution-ShareAlike 4.0 (CC BY-SA 4.0)

Previous: Finance Domain | Next: Supply Chain Domain

Overview​

What is the Risk Management Domain?​

Model Risk Management (MRM) Sub-domain​

Purpose and Value​

Core Components​

Domain Attributes​

Risk Profile Attributes​

Enumeration Values​

Risk Category (riskCategory)​

Risk Source (riskSource)​

Risk Status (riskStatus)​

Risk Response Type (mitigationApproachType)​

Control Type (controlType)​

Control Category (controlCategory)​

Risk Assessment Elements​

Risk Control Elements​

Key Risk Indicator Elements​

Domain Relationships​

Examples​

Example 1: Cybersecurity Risk Profile​

Example 2: Data Quality Risk​

Example 3: Model Risk (MRM)​

Implementation Guidelines​

Risk Management Best Practices​

Risk Assessment Matrix​

Control Framework​

OpenMetadata Integration​

Schema Reference​