Risk Management

Object Management Group has issued an RFI about risk management concepts, models, practices, languages, and existing standards. We are interested in identifying the need for standards to document and analyze risk, including models of probability, severity, impact, mitigation, and residual risk.

The scope includes all kinds of risk to a business, not just technical risks (e.g., cybersecurity). An initial classification of business risks is shown in the section below. This is not meant to limit or constrain the responses. In fact, we are interested in identifying additional areas of risk that we may have overlooked.

The questions are divided into two key sections. The first section requests demographic information about the respondent and the context of their response. The second section requests concepts, models, practices, languages, and existing standards used by the respondents in their risk management activities, as well as suggested approaches to improve the modeling and analysis of risk.

We do not require the sharing of any confidential information, and we encourage respondents to identify themselves so that we can follow up with questions and invitations to participate in future work on this topic area. However, we recognize that many commercial enterprises are understandably sensitive to the disclosure of their risk management practices. Therefore, if requested by a respondent, OMG will remove identifying information from their RFI response before publication to OMG members and any external organizations.

We realize that there are a number of standards already in place, including but not limited to the ISO 31000 family of standards or the NIST Risk Management Framework 2.0, but that they are described in general terms, not through a metamodel and/or language.

Ultimately, OMG may solicit through an RFP a Risk Metamodel, but before getting to that point, we solicit responses to this RFI to understand:

what models and standards already exist,
what are all the types of risks to be considered,
what the community of users and vendors think are the highest priorities for standardization.

Note: the initial response deadline of December 6, 2019, mentioned in the RFI has been extended to February 24, 2020.

Risk Classification

Financial market risk
Credit risk
Liquidity risk
Human factor risk
Technology risk
Natural events risk

Litigation risk
Regulatory risk
Tax risk
Political risk
Intellectual property risk
Tax risks

Cybersecurity risk
Product market risk
Supply chain risk
Strategic risk
Reputation risk
Consumer confidence risk

Read RFI Task Force Talk to OMG

Frequently Asked Questions:

Who may respond?

Responses are welcome from anyone in industry, government or academia with practical knowledge in the area of risk management.

Do I need to be a member of OMG to respond?

No, you do not need to be a member of OMG in order to respond to the RFI. When and if OMG issues a subsequent Request for Proposals (RFP) in this area, OMG members at the appropriate membership level will be eligible to respond with detailed specifications. OMG is an open membership organization. Any company, university or organization is welcome to join and participate. For information, consult https://www.omg.org/membership.

What is the review process?

OMG RFIs are issued with the intent to survey industry to obtain information that provides guidance, which will be used in the preparation of RFPs. The OMG membership, specifically the Business Modeling & Integration Domain Task Force, will review responses to this RFI. Based on those responses, the BMI DTF will augment its roadmap and may issue one or more RFPs.

What if I have questions while I am completing my response to this RFI?

Within the RFI there is a contact provided to ask additional questions for clarification.