Object Management Group has issued an RFI about risk management concepts, models, practices, languages, and existing standards. We are interested in identifying the need for standards to document and analyze risk, including models of probability, severity, impact, mitigation, and residual risk.
The scope includes all kinds of risk to a business, not just technical risks (e.g., cybersecurity). An initial classification of business risks is shown in the section below. This is not meant to limit or constrain the responses. In fact, we are interested in identifying additional areas of risk that we may have overlooked.
The questions are divided into two key sections. The first section requests demographic information about the respondent and the context of their response. The second section requests concepts, models, practices, languages, and existing standards used by the respondents in their risk management activities, as well as suggested approaches to improve the modeling and analysis of risk.
We do not require the sharing of any confidential information, and we encourage respondents to identify themselves so that we can follow up with questions and invitations to participate in future work on this topic area. However, we recognize that many commercial enterprises are understandably sensitive to the disclosure of their risk management practices. Therefore, if requested by a respondent, OMG will remove identifying information from their RFI response before publication to OMG members and any external organizations.
We realize that there are a number of standards already in place, including but not limited to the ISO 31000 family of standards or the NIST Risk Management Framework 2.0, but that they are described in general terms, not through a metamodel and/or language.
Ultimately, OMG may solicit through an RFP a Risk Metamodel, but before getting to that point, we solicit responses to this RFI to understand:
- what models and standards already exist,
- what are all the types of risks to be considered,
- what the community of users and vendors think are the highest priorities for standardization.
Note: the initial response deadline of December 6, 2019, mentioned in the RFI has been extended to February 24, 2020.
- Financial market risk
- Credit risk
- Liquidity risk
- Human factor risk
- Technology risk
- Natural events risk
- Litigation risk
- Regulatory risk
- Tax risk
- Political risk
- Intellectual property risk
- Tax risks
- Cybersecurity risk
- Product market risk
- Supply chain risk
- Strategic risk
- Reputation risk
- Consumer confidence risk